fix(gw): remove use of Clear-Site-Data in subdomain router#7890
Merged
Conversation
We used Clear-Site-Data to cushion transition period for local gateway exposed at http://localhost while we were still figuring out security-related details. In the final implementation subdomain gateways are not tied to a hostname explicitly, which removes the risk of cookies leaking, removing the need for the header. Turns out it causes issues for Firefox users, so let's just remove it. Closes ipfs/ipfs-companion#977
Stebalien
approved these changes
Jan 30, 2021
lidel
changed the title
hacdias
pushed a commit
to ipfs/boxo
that referenced
this pull request
Jan 27, 2023
fix(gw): remove use of Clear-Site-Data in subdomain router This commit was moved from ipfs/kubo@4cdb67f
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR removes use of buggy
Clear-Site-Dataheader and solves issue with Firefox: ipfs/ipfs-companion#977(Chromium browsers are not impacted, but they also barely support this header)
TLDR
Clear-Site-Dataheader and in Firefox it clears cookies before redirecting to https://en-wikipedia--on--ipfs-org.ipns.dweb.link (afaik it should ignore the header on redirects, but that is not the case in Firefox 84)Clear-Site-Datasupport across vendors is buggy in general, and that is not just FirefoxClear-Site-Datafrom the path-based router, fixing Firefox issue described in ipfs-companion clears local storage when using local gateway ipfs-companion#977Context
We used
Clear-Site-Dataas a failsafe/cushion during the transition period for local gateway exposed at http://localhost while we were still figuring out security-related details.In the final implementation subdomain gateways are now tied to a hostname explicitly, which removes the risk of cookies leaking, removing the need for the header.
Turns out the header support is still not implemented correctly in Chromium and causes issues for Firefox users (ipfs/ipfs-companion#977), so let's just remove it.
cc @hsanjuan @Gozala @autonome for 👀
@aschmahmann should be small and clean enough to squeeze into 0.8.0 (#7707), but lmk if you prefer to push it to later one