-
Notifications
You must be signed in to change notification settings - Fork 821
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BUG Fix regression in IE no-cache https file downloads. #2356
Conversation
@halkyon can you have a look? I don't really like how this if is structured - trying to detect the file download situation but it will break when someone changes Content-disposition to Content-Disposition and we will not notice it broke (again). Any ideas how to make it better? |
I think I prefer no-store, at least on all HTTPS requests. http://stackoverflow.com/questions/866822/why-both-no-cache-and-no-store-should-be-used-in-http-response for what it does (note that no-cache already stops intermediate proxies from caching, no-store just stops them from saving it to non-volatile storage as well) |
So, to be clear, keep all the existing checks (UA, content disposition is attachment), but also check if https. If so, use no-store. |
@hafriedlander AFAIK no-cache forces each cache to reissue a request, but it is possible for the server to reply with "not modified" content-less response, which allows the cache in turn to respond using locally cached body. This saves on transmission time between server and the cache. If we use no-store, my understanding is that caches will need to transmit body on each request, which will put the server under more load. Good idea with checking for HTTPS! |
@mateusz Yeah, it's possible to reply with a 304. But we never do - we always just regenerate the request (unless I'm missing a code path somewhere). |
Currently IE6-8 will refuse to download files over HTTPS with default Framework settings. Currently the HTTP::add_cache_headers competely overrides Cache-Control headers on each request, so there is no way to inject custom headers from the API-consuning methods. Also of note: adding no-store header also fixes the issue but will prevent proxies from caching the request body (which they do when using no-cache). So the setting max-age to some low number is a better choice here.
Have added an is_https check, and made it not break when someone decides to fix the header in HTTPRequest. I don't want to really change the header here because it seems to be an API change someone can rely on. Regarding the 304 - someone might actually implement 304s in the future :-) Do you have any reason why max-age=3 would be worse than no-store in this scenario? Max-age is time tested in this case. |
Seems it has passed the build, not sure why it's still yellow https://travis-ci.org/silverstripe/silverstripe-framework/builds/10611827 |
BUG Fix regression in IE no-cache https file downloads.
@mateusz There is a regression introduced in this fix where
Will follow up with a PR. |
Fixed with #2445 |
…eaders-fix BUG Fix regression introduced in #2356 (method call on non-object)
Currently IE6-8 will refuse to download files over HTTPS with default
Framework settings.
Currently the HTTP::add_cache_headers competely overrides Cache-Control
headers on each request, so there is no way to inject custom headers
from the API-consuning methods.
Also of note: adding no-store header also fixes the issue but will
prevent proxies from caching the request body (which they do when using
no-cache). So the setting max-age to some low number is a better choice
here.