Hello.
I've recently experimented with the `http2_push_preload` directive to
preemptively
submit a response to an XHR request. I've noticed that in the request that nginx
performs to fetch the hinted resource, no cookies are submitted. However, Chrome
does not consider the cached response a candidate for serving the actual XHR
that is later
sent by the client, which contains `withCredentials=true` and does contain
cookies.
This is problematic in scenarios where cookies are required to be present. For
example,
assume the following case:
- a logged in user visits page A that we know will trigger an XHR to B.json
- information about the session of the user is persisted in a cookie
- B.json can only be served to logged in users
- we want to push B.json to the client using an early hint, since we know it'll
be needed
what happens now is the following:
1) Chrome requests page A, nginx responds with page A and an early hint for
B.json
2) nginx requests B.json *without* sending any cookies
3) Chrome fetches response for A and B.json
3) Chrome performs an XHR(withCredentials=true) to fetch B.json and does not
use B.json from the push cache,
since it considers it a different request altogether
My question is: how are we supposed to treat such a case? Are there any plans
to support this?
Thanks in advance,
P.S. The ruby script I've used is the following and can be run with `bundle
exec rackup test.rb` (requires ruby and bundler):
```
require 'rack'
require 'webrick'
XHR = "/foo.json"
body = %{
<html>
<head></head>
<body>
I'm the homepage and I'm performing an XHR
<script>
var oReq = new XMLHttpRequest();
oReq.open("GET", "#{XHR}");
// if set to true, it doesn't work in Chrome
oReq.withCredentials = false;
oReq.send();
</script>
</body>
</html>
}
require 'pp'
app = Proc.new do |env|
puts
if env["PATH_INFO"].include?(".json")
['200', {'Content-Type' => 'application/json'}, ['{"foo":"bar"}']]
else
['200', {'Content-Type' => 'text/html', "Link" => "<#{XHR}>;
rel=preload; as=fetch; crossorigin"}, [body]]
end
end
Rack::Handler::WEBrick.run(app, Port: 8123)
```
OS: Darwin 17.4.0 Darwin Kernel Version 17.4.0: Sun Dec 17 09:19:54 PST 2017;
root:xnu-4570.41.2~1/RELEASE_X86_64 x86_64
nginx version: nginx/1.15.1
built by clang 9.1.0 (clang-902.0.39.2)
built with OpenSSL 1.0.2o 27 Mar 2018
TLS SNI support enabled
configure arguments: --prefix=/usr/local/Cellar/nginx/1.15.1
--sbin-path=/usr/local/Cellar/nginx/1.15.1/bin/nginx
--with-cc-opt='-I/usr/local/opt/pcre/include -I/usr/local/opt/openssl/include'
--with-ld-opt='-L/usr/local/opt/pcre/lib -L/usr/local/opt/openssl/lib'
--conf-path=/usr/local/etc/nginx/nginx.conf
--pid-path=/usr/local/var/run/nginx.pid
--lock-path=/usr/local/var/run/nginx.lock
--http-client-body-temp-path=/usr/local/var/run/nginx/client_body_temp
--http-proxy-temp-path=/usr/local/var/run/nginx/proxy_temp
--http-fastcgi-temp-path=/usr/local/var/run/nginx/fastcgi_temp
--http-uwsgi-temp-path=/usr/local/var/run/nginx/uwsgi_temp
--http-scgi-temp-path=/usr/local/var/run/nginx/scgi_temp
--http-log-path=/usr/local/var/log/nginx/access.log
--error-log-path=/usr/local/var/log/nginx/error.log --with-debug
--with-http_addition_module --with-http_auth_request_module
--with-http_dav_module --with-http_degradation_module --with-http_flv_module
--with-http_gunzip_module --with-http_gzip_st
atic_module --with-http_mp4_module --with-http_random_index_module
--with-http_realip_module --with-http_secure_link_module
--with-http_slice_module --with-http_ssl_module --with-http_stub_status_module
--with-http_sub_module --with-http_v2_module --with-ipv6 --with-mail
--with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream
--with-stream_realip_module --with-stream_ssl_module
--with-stream_ssl_preread_module
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
