Don't use "allow_reload" as Cache Bypass Strategy and move to "expect" header

[joeherold]

Get rid of the allow_reload , what can be targeted with ease by any user with ease (ctrl + shift + r) resulting in touching the cache / creating new cache.

By using your "preflight"? request, you could set the expect header for the request.
If setting the expect header, the parent handle function (HttpCache) will handle the request with function pass.
function pass forwards the Request to the backend without storing the Response in the cache and does not even touch the cache.

That way, the Request ist handled by the Application and a unknown client may not modify/renew a cached site what has an impact to every user requesting a page and then getting a new one. Even if a client would set the Cookie-Value of BE_USER_AUTH himself, it will only result in handling the request by the application instead of modifying the cache. If the value in the self created cookie value is not known, the application will remove it anyway.

https://github.com/symfony/symfony/blob/4ef0b3e18047a2b307af30494aa5f731e180a5f6/src/Symfony/Component/HttpKernel/HttpCache/HttpCache.php#L178-L179

The expect header seems a better solution to me than allow_reload.

The way I tested it, was inline in the TL_ROOT/web/app.php

<?php

/*
 * This file is part of Contao.
 *
 * Copyright (c) 2005-2018 Leo Feyer
 *
 * @license LGPL-3.0+
 */

use Contao\ManagerBundle\ContaoManager\Plugin as ManagerBundlePlugin;
use Contao\ManagerBundle\HttpKernel\ContaoCache;
use Contao\ManagerBundle\HttpKernel\ContaoKernel;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpKernel\HttpKernelInterface;

/** @var Composer\Autoload\ClassLoader */
$loader = require __DIR__.'/../vendor/autoload.php';

ManagerBundlePlugin::autoloadModules(__DIR__.'/../system/modules');

ContaoKernel::setProjectDir(dirname(__DIR__));
$kernel = new ContaoKernel('prod', false);

/**
 * Class BypassCache
 * @description Extended Contao Cache, to bypass the CacheProxy via cookie value.
 */
class BypassCache extends ContaoCache {
    public function handle(Request $request, $type = \Symfony\Component\HttpKernel\HttpKernelInterface::MASTER_REQUEST, $catch = true)
    {
        if($request->cookies->get("BE_USER_AUTH")){
            /*
             * if setting the expect header, the parent handle function will handle the request with function pass
             * function pass: Forwards the Request to the backend without storing the Response in the cache.
             * vendor/symfony/symfony/src/Symfony/Component/HttpKernel/HttpCache/HttpCache.php on Line 178
             *
             * That way, the Request ist handled by the Application and a unknown client may not modify/renew a cache File
             * what has an impact to every user requesting a page and then getting a new one.
             *
             * So, if a client would set the Cookie-Value of BE_USER_AUTH himself, it will only result in handling the request by
             * the application. If the value in the self created cookie value is not known, the application will remove it
             * anyway.
            */
            $request->headers->set('expect', true);
        }
        $response =  parent::handle($request, $type, $catch);
        return $response;
    }

    protected function getOptions()
    {
        return ['allow_reload' => false];
    }
}


// Enable the Symfony reverse proxy
//$kernel = new ContaoCache($kernel);
$kernel = new BypassCache($kernel);
Request::enableHttpMethodParameterOverride();

// Handle the request
$request = Request::createFromGlobals();
$response = $kernel->handle($request);
$response->send();
$kernel->terminate($request, $response);

[Toflar]

Fixed in 72363d9