Skip to content

Add Vary header to prevent caching routes with different content types #910

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 20, 2017
Merged

Add Vary header to prevent caching routes with different content types #910

merged 1 commit into from
Aug 20, 2017

Conversation

carols10cents
Copy link
Member

Such as the /me route, which can be requested by the browser for its
frontend HTML or its backend JSON, but the browser should not cache
either and return it for the other one.

Fixes #888.

I was able to reproduce the problem with reloading locally when, instead of using ember serve, I ran npm run build -- --environment production and then served the files in dist using nginx. This change fixed the problem!

@sgrif @jtgeibel do yinz see any reason NOT to set this header for literally any non-asset route?

@jtgeibel
Copy link
Member

do yinz see any reason NOT to set this header for literally any non-asset route?

Here is what I see in a clean dist/ after running your npm run build -- --environment production command.

dist
├── assets
│   ├── [...]
├── crossdomain.xml
├── favicon.ico
├── index.html
├── moment
│   ├── fastboot-moment-62eb34042848ca105b39d48fa2474ea3.js
│   └── fastboot-moment-timezone-abadb8be73831ba0ff2208c313da0af0.js
├── opensearch.xml
└── robots.txt

Ideally, the other static files outside of /assets/ would be served with Vary: Accept-Encoding as the response will not vary based on the Accept or Cookie headers. This seems minor to me since we're using end-to-end https in production and thus don't have to optimize for caching proxy servers. We would want to clean this up if we start using CloudFront or CloudFlare. I have some ideas on other changes to our nginx setup and I'll open a separate issue to discuss those.

For all the dynamic responses served by the backend the full Vary: Accept, Accept-Encoding, Cookie header seems appropriate. This will fix the issue we are seeing on production and will prevent us from poisoning any more client caches.

@jtgeibel
Copy link
Member

To follow up on this, I think that long term we should look to move the following routes to somewhere under /api:

  • GET /me
  • GET /me/updates
  • GET /me/tokens
  • POST /me/tokens
  • DELETE /me/tokens/:id
  • GET /summary

That would eliminate the need for setting the header in our nginx configuration, which isn't always available (such as during development). I see no issue with merging this PR as a workaround for now. Maybe add something like # TODO: Remove once /me is moved under /api?

The routes listed above are used only by the frontend. The cargo install command does tell the user to visit /me to obtain a token, however even after moving these routes the backend will continue to return index.html and load the appropriate frontend route as it does today.

@carols10cents
Add Vary header to prevent caching routes with different content types
087924b 
Such as the /me route, which can be requested by the browser for its
frontend HTML or its backend JSON, but the browser should not cache
either and return it for the other one.

Fixes rust-lang#888.
@carols10cents
Copy link
Member Author

I'm going to merge this in as-is. I do want to move those /me routes in the backend eventually, but I want to fix this issue now :)

bors: r+

bors-voyager bot added a commit that referenced this pull request Aug 20, 2017
@bors-voyager
Merge #910
cee4c78 
910: Add Vary header to prevent caching routes with different content types r=carols10cents

Such as the /me route, which can be requested by the browser for its
frontend HTML or its backend JSON, but the browser should not cache
either and return it for the other one.

Fixes #888.

I was able to reproduce the problem with reloading locally when, instead of using `ember serve`, I ran `npm run build -- --environment production` and then served the files in `dist` using nginx. This change fixed the problem! 

@sgrif @jtgeibel do yinz see any reason NOT to set this header for literally any non-asset route?
@bors-voyager
Copy link
Contributor

bors-voyager bot commented Aug 20, 2017

Build succeeded

@bors-voyager bors-voyager bot merged commit 087924b into rust-lang:master Aug 20, 2017
@jtgeibel jtgeibel mentioned this pull request Aug 24, 2017
Closed
@carols10cents carols10cents deleted the vary branch August 26, 2017 23:37
This was referenced Aug 26, 2017
Closed
Merged
bors-voyager bot added a commit that referenced this pull request Aug 27, 2017
@bors-voyager
Merge #1017
dc195a3 
1017: Move backend routes under api/v1 r=carols10cents

For consistency, to avoid the clash with the frontend /me route that
caused problems with staying logged in, to make it clear that these
routes are part of the public HTTP API provided by crates.io, and to
let us evolve these routes in the future.

This would make me feel comfortable about adding a cargo command that uses the info from the backend me route (see #1012).

We could do this more conservatively by leaving the old routes here and only adding the new routes... but we haven't made any guarantees about the stability of these routes, so...

See discussion: #910 (comment)

@jtgeibel wdyt?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Does not stay signed in
3 participants
@carols10cents @jtgeibel @Turbo87