Closed
Bug 1350909
Opened 7 years ago
Closed 7 years ago
Make index.cgi cache-friendly for logged out requests
Categories
(bugzilla.mozilla.org :: General, enhancement)
Tracking
()
RESOLVED
FIXED
People
(Reporter: dylan, Assigned: dylan)
References
Details
Attachments
(2 files, 7 obsolete files)
13.23 KB,
patch
|
glob
:
review+
|
Details | Diff | Splinter Review |
5.95 KB,
patch
|
glob
:
review+
|
Details | Diff | Splinter Review |
The index page is pretty boring, it should be pretty easy to cache.
Assignee | ||
Comment 1•7 years ago
|
||
To do this, I need to be free of nonces. There are three CSP errors if I turn off nonces for that page. This patch fixes the first
Assignee | ||
Comment 2•7 years ago
|
||
Attachment #8851621 -
Attachment is obsolete: true
Assignee | ||
Comment 3•7 years ago
|
||
Comment on attachment 8851636 [details] [diff] [review] 1350909_2.patch - expose encode_json to templates - store BUGZILLA as data attribute on head, and load in new headers.js - run index.cgi with no_yui - only use a <script> in the head if passed javascript= into template or using YUI.
Attachment #8851636 -
Flags: review?(glob)
Summary: Make index.cgi cache-friendly → Make index.cgi cache-friendly for logged out requests
Assignee | ||
Comment 4•7 years ago
|
||
Attachment #8851636 -
Attachment is obsolete: true
Attachment #8851636 -
Flags: review?(glob)
Attachment #8851782 -
Flags: review?(glob)
Assignee | ||
Comment 5•7 years ago
|
||
Attachment #8851786 -
Flags: review?(glob)
Assignee | ||
Comment 6•7 years ago
|
||
Comment on attachment 8851786 [details] [diff] [review] 1350909_add_cache_headers.patch a few problems I realized after spending even more time with caching: 1) max-age is not epoch seconds, just relative seconds so time() + is wrong. 2) tokens include IP addresses, we can't use those, so really we can only cache-private until I remove the rest of the login tokens out. 3) oh shit the CSRF protections from bug 1157395 while sufficient are not up to OWASP standards.
Attachment #8851786 -
Flags: review?(glob) → review-
Comment on attachment 8851786 [details] [diff] [review] 1350909_add_cache_headers.patch Review of attachment 8851786 [details] [diff] [review]: ----------------------------------------------------------------- ::: index.cgi @@ +41,2 @@ > > +my $weak_etag = q{W/"} . md5_hex(Bugzilla->user->id, Bugzilla->params->{bugzilla_version}) . q{"}; this etag isn't updated when dynamic content on the index page is updated (eg. custom lists in the footer, number of open requests in the header, email address, bug tagging, ...) i think we can only set an etag for non-authenticated requests.
Attachment #8851786 -
Flags: review-
Assignee | ||
Comment 8•7 years ago
|
||
Comment on attachment 8851782 [details] [diff] [review] 1350909_remove_csp_nonce.patch This is missing the #lob stuff -- just wasn't commited to the branch when I generated the diff, new one incoming
Attachment #8851782 -
Flags: review?(glob) → review-
Assignee | ||
Comment 9•7 years ago
|
||
Attachment #8851782 -
Attachment is obsolete: true
Attachment #8851985 -
Flags: review?(glob)
Assignee | ||
Comment 10•7 years ago
|
||
Attachment #8851786 -
Attachment is obsolete: true
Attachment #8851986 -
Flags: review?(glob)
Comment 11•7 years ago
|
||
Comment on attachment 8851986 [details] [diff] [review] 1350909_add_cache_headers_2.patch clearing review as per discussions
Attachment #8851986 -
Flags: review?(glob)
Comment 12•7 years ago
|
||
Comment on attachment 8851985 [details] [diff] [review] 1350909_remove_csp_nonce_2.patch Review of attachment 8851985 [details] [diff] [review]: ----------------------------------------------------------------- r=glob ::: js/global.js @@ +47,5 @@ > }); > > +function unhide_language_selector() { > + $('#lang_links_container').removeClass('bz_default_hidden'); > +} as bmo is english only you could remove this. ::: template/en/default/global/header.html.tmpl @@ +140,5 @@ > + } > + }; > + IF generate_api_token; > + js_BUGZILLA.api_token = get_api_token(); > + END; nit: remove trailing spaces @@ +210,5 @@ > + [%# Make some Bugzilla information available to all scripts. > + # We don't import every parameter and constant because we > + # don't want to add a lot of uncached JS to every page. > + # %] > + nit: remove trailing spaces
Attachment #8851985 -
Flags: review?(glob) → review+
Assignee | ||
Comment 13•7 years ago
|
||
Attachment #8851986 -
Attachment is obsolete: true
Attachment #8852468 -
Flags: review?(glob)
Assignee | ||
Comment 14•7 years ago
|
||
Comment on attachment 8852468 [details] [diff] [review] 1350909_add_cache_headers_3.patch Review of attachment 8852468 [details] [diff] [review]: ----------------------------------------------------------------- ::: index.cgi @@ +16,4 @@ > use Bugzilla::Constants; > use Bugzilla::Error; > use Bugzilla::Update; > +use Bugzilla::Util qw(remote_ip); ignore this, it won't be in the final version.
Assignee | ||
Updated•7 years ago
|
Attachment #8852468 -
Attachment is obsolete: true
Attachment #8852468 -
Flags: review?(glob)
Assignee | ||
Comment 15•7 years ago
|
||
this time, minus the brain fart.
Attachment #8852474 -
Flags: review?(glob)
Comment 16•7 years ago
|
||
Comment on attachment 8852474 [details] [diff] [review] 1350909_add_cache_headers_4.patch Review of attachment 8852474 [details] [diff] [review]: ----------------------------------------------------------------- ::: index.cgi @@ +26,5 @@ > > +# Yes, I really want to avoid two calls to the id method. > +my $user_id = $user->id; > + > +# in the future caching logic might be a bit more complicated. this comment doesn't add any value. i would recommend instead stating that it's limited to logged out users due to the dynamic content in the header and footer. @@ +50,3 @@ > > +# our weak etag is based on the bugzilla version parameter (BMO customization) and the announcehtml > +# if either change, the cache will be considered invalid. if my understanding of cache-control:public,max-age and etags is correct, the etag is only checked after the max-age for the cached item has expired. https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/http-caching "For example, in the above exchange, the server returns a 1024-byte response, instructs the client to cache it for up to 120 seconds, and provides a validation token ("x234dff") that can be used after the response has expired to check if the resource has been modified." this likely isn't what we want, as it would mean changes could take up to 24 hours to take effect, and contradicts the comment. maybe dropping the max-age down to 5 minutes would be a better balance between decreasing load and responsive updates.
Attachment #8852474 -
Flags: review?(glob) → review-
Assignee | ||
Comment 17•7 years ago
|
||
Attachment #8852474 -
Attachment is obsolete: true
Attachment #8852952 -
Flags: review?(glob)
Comment 18•7 years ago
|
||
Comment on attachment 8852952 [details] [diff] [review] 1350909_add_cache_headers_5.patch Review of attachment 8852952 [details] [diff] [review]: ----------------------------------------------------------------- r=glob
Attachment #8852952 -
Flags: review?(glob) → review+
Assignee | ||
Comment 19•7 years ago
|
||
To git@github.com:mozilla-bteam/bmo.git 30c35b3..8920743 master -> master
Group: webtools-security
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 20•7 years ago
|
||
Sorry, more like: To git@github.com:mozilla-bteam/bmo.git 5b80797..9f9e989 master -> master
You need to log in
before you can comment on or make changes to this bug.
Description
•