Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gateway: CORS and Cache-Control: only-if-cached #400

Open
MarcoPolo opened this issue Apr 17, 2023 · 1 comment
Open

gateway: CORS and Cache-Control: only-if-cached #400

MarcoPolo opened this issue Apr 17, 2023 · 1 comment
Labels
need/triage Needs initial labeling and prioritization

Comments

@MarcoPolo
Copy link

Without this you cannot make a CORS request for content with the Cache-Controle header.

For example, this request to check if the gateway has the cid in cache fails (from a different origin):

await fetch(new Request(`${url}/ipfs/${cid.toString()}/`, { method: 'HEAD', headers: { 'Cache-Control': 'only-if-cached' } }))

A server should be able to fix this by setting the header

"Access-Control-Allow-Headers"="Cache-Control"

This should probably be mentioned here: https://specs.ipfs.tech/http-gateways/path-gateway/#cache-control-request-header.

I believe @lidel mentioned setting this header alone might not be enough, but from some local testing, it seems to work fine(?)

@MarcoPolo MarcoPolo added the need/triage Needs initial labeling and prioritization label Apr 17, 2023
@lidel
Copy link
Member

lidel commented Apr 21, 2023

Thanks for raising this issue @MarcoPolo

The problem I mentioned was browsers blocking only-if-cached in cross-origin requests. There was some back and forth around this (whatwg/fetch#159, whatwg/fetch#295) and https://fetch.spec.whatwg.org states:

"only-if-cached"
Fetch uses any response in the HTTP cache matching the request, not paying attention to staleness. If there was no response, it returns a network error. (Can only be used when request’s mode is "same-origin". Any cached redirects will be followed assuming request’s redirect mode is "follow" and the redirects do not violate request’s mode.)

Thing to confirm to check if setting Access-Control-Allow-Headers lifts the "Can only be used when request’s mode is same-origin" limitation in all browsers (Chromium, Firefox, Safari) and allows example.com to do cross-origin fetch from ipfs.io.

If setting Access-Control-Allow-Headers is enough, I agree, we should document it in the spec. I think we need a dedicated CORS section in "Notes for implementers" anyway (some prior art in /routing/v1 spec)

If it is not enough, then we may need IPFS-specific solution, probably a dedicated HTTP header Ipfs-Cache-Control and URL query parameter for controlling the cache behavior beyong HTTP semantics ('get', 'has' 'get-only-if-has'). But would be nicer if we don't need this.

@MarcoPolo Would you have time to check current state of only-if-cached and open a PR to update specs to make it work?

We would then apply fix in boxo/gateway and add conformance tests to https://github.com/ipfs/gateway-conformance.

@lidel lidel changed the title Path Gateway: Cache-Control header should be in the CORS Access-Control-Allow-Headers allow list. Path Gateway: CORS and Cache-Control: only-if-cached Apr 21, 2023
@lidel lidel changed the title Path Gateway: CORS and Cache-Control: only-if-cached gateway: CORS and Cache-Control: only-if-cached Jun 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
need/triage Needs initial labeling and prioritization
Projects
No open projects
Status: No status
Development

No branches or pull requests

2 participants