Don't set public Cache-Control on proxied non-public blobs
Rails' ActiveStorage proxy controllers hardcode `http_cache_forever public: true`, which sets `Cache-Control: public, immutable`. For non-public blobs behind auth, this allows CDN caching that serves responses without authorization checks. Override `http_cache_forever` in the Authorize concern to downgrade `public` to `false` for non-public blobs. See https://github.com/basecamp/fizzy/pull/2251 for context
This commit is contained in:
@@ -40,6 +40,10 @@ Rails.application.config.to_prepare do
|
|||||||
head :forbidden
|
head :forbidden
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def http_cache_forever(public: false, &block)
|
||||||
|
super(public: public && publicly_accessible_blob?, &block)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
ActiveStorage::Blobs::RedirectController.include ActiveStorage::Authorize
|
ActiveStorage::Blobs::RedirectController.include ActiveStorage::Authorize
|
||||||
|
|||||||
@@ -150,6 +150,14 @@ class ActiveStorageAuthorizationTest < ActionDispatch::IntegrationTest
|
|||||||
assert_match %r{rails/active_storage}, response.location
|
assert_match %r{rails/active_storage}, response.location
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "proxy for non-public blob does not set public Cache-Control" do
|
||||||
|
sign_in_as :david
|
||||||
|
|
||||||
|
get rails_storage_proxy_path(@blob)
|
||||||
|
assert_response :success
|
||||||
|
assert_not_includes response.headers["Cache-Control"], "public"
|
||||||
|
end
|
||||||
|
|
||||||
# Account exports
|
# Account exports
|
||||||
|
|
||||||
test "export owner can download their export" do
|
test "export owner can download their export" do
|
||||||
|
|||||||
Reference in New Issue
Block a user