Closed
Bug 1155813
Opened 10 years ago
Closed 10 years ago
Add the file hash as a GET parameter in its download URL to prevent CDN issues
Categories
(addons.mozilla.org Graveyard :: Admin/Editor Tools, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
2015-04
People
(Reporter: magopian, Assigned: magopian)
Details
When a file content is updated (eg when it's signed), we update its hash also. However, the CDN might continue caching the original file for 24 hours, while its hash is now changed.
This means the old file will still be provided, and also that the "install addon" will fail with a message saying that the addon wasn't downloaded because its content was different from what expected.
Adding the file hash as a GET parameter to the URL will prevent this issue.
Assignee | ||
Comment 1•10 years ago
|
||
PR: https://github.com/mozilla/olympia/pull/512
STR: check any url that points to the final xpi (not one that results in a redirect, like /latest/, but for example the "install button" links in the versions pages of any addon). It should end with "?filehash=<some hash>")
Assignee | ||
Comment 2•10 years ago
|
||
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 3•10 years ago
|
||
Correction to the STR: the "?filehash=..." isn't visible straight away on AMO, it's when the url is redirected to the CDN that it appears. You'll need to either "curl" the url I was talking about and check the "location" part, or use an addon like "httpfox".
Example:
1/ go to https://addons-dev.allizom.org/en-US/firefox/addon/s3google-translator/versions/
2/ right click on the green "add to firefox" button and copy url
3/ use curl (or httpie) to query it:
(olympia)mathieu@shiny:~/olympia (master)$ http https://addons-dev.allizom.org/firefox/downloads/file/245148/s3google_translator-2.13-fx.xpi?src=version-history
HTTP/1.1 302 FOUND
Connection: keep-alive
Content-Security-Policy-Report-Only: script-src 'self' https://www.google.com https://mozorg.cdn.mozilla.net https://www.paypalobjects.com https://ssl.google-analytics.com https://addons-dev-cdn.allizom.org/user-media; default-src * data:; style-src * 'unsafe-inline'; frame-src https://ssl.google-analytics.com https://sandbox.paypal.com; object-src 'none'; report-uri /services/csp/report
Content-Type: text/html; charset=utf-8
Date: Fri, 17 Apr 2015 19:54:34 GMT
Location: https://addons-dev-cdn.allizom.org/user-media/addons/285546/s3google_translator-2.13-fx.xpi?filehash=sha256%3Ad64207f114795253e6823c548fd7d3d7f279038520a2f8d8ab1e295519874534
Server: nginx
Strict-Transport-Security: max-age=31536000
Transfer-Encoding: chunked
Vary: X-Mobile, User-Agent
Via: Moz-zlb10
X-Backend-Server: dev1
X-Frame-Options: DENY
X-Target-Digest: sha256:d64207f114795253e6823c548fd7d3d7f279038520a2f8d8ab1e295519874534
4/ check the "Location" header: it's the CDN url with the ?filehash=sha256%3Ad<the hash here>
5/ make sure the hash is the same as what's in the X-Target-Digest (the part after "sha256:")
Updated•9 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•