Add basic support for access control headers to ActionDispatch::Static

[yuki24]

Now ActionDispatch::Static can accept access control headers such as Access-Control-Allow-Origin. These headers will be set as well as Cache-Control header when a response is delivered. Access control headers can be configured with #config in config/application.rb or config/environments/***.rb:

config.action_dispatch.access_control_headers = {
  "Access-Control-Allow-Origin"      => 'http://rubyonrails.org',
  "Access-Control-Expose-Headers"    => 'X-Other-Custom-Header',
  "Access-Control-Allow-Headers"     => 'X-Another-Custom-Header',
  "Access-Control-Max-Age"           => '42',
  "Access-Control-Allow-Credentials" => 'true',
  "Access-Control-Allow-Methods"     => 'GET'
}

cc/ @schneems

[yuki24]

Although this implementation works, I'm not sure about this interface since Cache-Control is also part of the HTTP headers and the third argument seems redundant. I guess this interface could be justdefault_headers.

[schneems]

Ultimately I think it looks good. Let's change some naming so that it's a little more generic. Instead of access_control_headers let's just use headers which is technically what it is (although you can use them as access control headers).

You can reduce the initialization logic to something like this:

headers ||= {}
headers['Cache-Control'] = cache_control

I would also change config.action_dispatch.access_control_headers to config.action_dispatch.asset_headers or something more accurate. We can then explicitly add a section in the guides that shows how to set access control headers http://guides.rubyonrails.org/asset_pipeline.html

I agree we should deprecate some interfaces here and clean some things up. Unfortunately as I understand, the deadline for getting deprecations in to Rails 5 was Rails 4.2.0

[yuki24]

Updated the commit as suggested. Thanks @schneems for reviewing!

[yuki24]

forgot to add a CHANGELOG entry btw. I'll add it tonight.

[schneems]

merge and reverse_merge are really expensive. Even though this only gets called once on initialization the code in this file is very performance sensitive and I don't want people copying existing style. Can you also factor out the merge?

[yuki24]

Thanks @schneems, removed the merge call,

[yuki24]

I'm not sure if this is the right place to define public_file_server. I'm open to suggestions.

[schneems]

What are we waiting on for this to go in? Anything a blocker here?

[yuki24]

I needed to use :not_set explicitly due to this change: #20017. I think we should make the index arg a keyword argument so we don't have to care about the order of the args here. Alternatively, we can just merge the static_index config into the public_file_server namespace, which I actually prefer, but I'm open to suggestions.

cc/ @eliotsykes @jonatack

[vipulnsward]

index can be kwarg too.

[yuki24]

Absolutely. See my comment above about it: #19135 (comment)

[yuki24]

I just sent a separate pull request for this: #20520. Now we need to wait on it to be merged before merging this PR.

[jonatack]

The comment states optional HTTP headers but the headers keyword is required. Perhaps headers: needs a default value?

[yuki24]

Headers are totally optional. I changed it to use a {} by default.

[jonatack]

Great.

This PR will break the interface for other services/gems that hook into it, for instance the Heroku-deflator gem here but seems unavoidable for adding this feature.

[yuki24]

oh, I didn't know that ActionDispatch::FileHandler is a public class. I don't think it's ok to break it.

[yuki24]

I did a little investigation but I'm not sure if we should treat ActionDispatch::FileHandler as a public class. It's basically an inner class. Does it still have to be public?

[yuki24]

@schneems updated the commit. I'm a bit concerned about the arguments of the ActionDispatch::Static initializer, but everything else should be good now.

[vipulnsward]

Would be good to have this as-

config.public_file_server.headers= {'Cache-Control' => #{value}}

This would suggest the options being passed to headers have been expanded.

[yuki24]

updated.

[vipulnsward]

@yuki24 Thanks a ton for this, I was looking to implement something similar due to this - https://twitter.com/vipulnsward/status/603866969201373184

[yuki24]

I believe everything should be good and we are ready to merge.

[schneems]

I spoke to @jeremy, I think it just fell off his radar. Can you rebase, this is good to merge.

[jeremy]

👍 Looks like a changelog conflict only, no need to rebase.

[yuki24]

@schneems @jeremy Thanks! ❤️ 💟 💛 💙 ❤️ 💟 💛 💙

[kaspth]

@yuki24 nice! Have you sent a pull request to enable public_file_server as mentioned in the outdated diffs yet? 😁

[yuki24]

@kaspth Not yet. I'm not sure if I can work on it anytime soon, so feel free to send a PR if you could.

[schneems]

What was the idea?

[kaspth]

@yuki24 @schneems added a pull request at #22173 😁

[kaspth]

Feels like this should be in the Railties CHANGELOG file. I will change it at #22173.