Welcome! Log In Create A New Profile

Advanced

question: http2_push_preload request with cookie

Posted by powiii 
Hello.

I've recently experimented with the `http2_push_preload` directive to preemptively
submit a response to an XHR request. I've noticed that in the request that nginx
performs to fetch the hinted resource, no cookies are submitted. However, Chrome
does not consider the cached response a candidate for serving the actual XHR that is later
sent by the client, which contains `withCredentials=true` and does contain cookies.

This is problematic in scenarios where cookies are required to be present. For example,
assume the following case:

- a logged in user visits page A that we know will trigger an XHR to B.json
- information about the session of the user is persisted in a cookie
- B.json can only be served to logged in users
- we want to push B.json to the client using an early hint, since we know it'll be needed

what happens now is the following:

1) Chrome requests page A, nginx responds with page A and an early hint for B.json
2) nginx requests B.json *without* sending any cookies
3) Chrome fetches response for A and B.json
3) Chrome performs an XHR(withCredentials=true) to fetch B.json and does not use B.json from the push cache,
since it considers it a different request altogether

My question is: how are we supposed to treat such a case? Are there any plans to support this?

Thanks in advance,

P.S. The ruby script I've used is the following and can be run with `bundle exec rackup test.rb` (requires ruby and bundler):

```
require 'rack'
require 'webrick'

XHR = "/foo.json"

body = %{
<html>
<head></head>
<body>
I'm the homepage and I'm performing an XHR

<script>
var oReq = new XMLHttpRequest();
oReq.open("GET", "#{XHR}");

// if set to true, it doesn't work in Chrome
oReq.withCredentials = false;
oReq.send();
</script>
</body>
</html>
}

require 'pp'
app = Proc.new do |env|
puts
if env["PATH_INFO"].include?(".json")
['200', {'Content-Type' => 'application/json'}, ['{"foo":"bar"}']]
else
['200', {'Content-Type' => 'text/html', "Link" => "<#{XHR}>; rel=preload; as=fetch; crossorigin"}, [body]]
end
end

Rack::Handler::WEBrick.run(app, Port: 8123)
```

OS: Darwin 17.4.0 Darwin Kernel Version 17.4.0: Sun Dec 17 09:19:54 PST 2017; root:xnu-4570.41.2~1/RELEASE_X86_64 x86_64

nginx version: nginx/1.15.1
built by clang 9.1.0 (clang-902.0.39.2)
built with OpenSSL 1.0.2o 27 Mar 2018
TLS SNI support enabled
configure arguments: --prefix=/usr/local/Cellar/nginx/1.15.1 --sbin-path=/usr/local/Cellar/nginx/1.15.1/bin/nginx --with-cc-opt='-I/usr/local/opt/pcre/include -I/usr/local/opt/openssl/include' --with-ld-opt='-L/usr/local/opt/pcre/lib -L/usr/local/opt/openssl/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --pid-path=/usr/local/var/run/nginx.pid --lock-path=/usr/local/var/run/nginx.lock --http-client-body-temp-path=/usr/local/var/run/nginx/client_body_temp --http-proxy-temp-path=/usr/local/var/run/nginx/proxy_temp --http-fastcgi-temp-path=/usr/local/var/run/nginx/fastcgi_temp --http-uwsgi-temp-path=/usr/local/var/run/nginx/uwsgi_temp --http-scgi-temp-path=/usr/local/var/run/nginx/scgi_temp --http-log-path=/usr/local/var/log/nginx/access.log --error-log-path=/usr/local/var/log/nginx/error.log --with-debug --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_degradation_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_st
atic_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-ipv6 --with-mail --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login