Page MenuHomePhorge
Differential D25694

Set "preconnect" HTTP header when "security.alternate-file-domain" is set
Needs ReviewPublic
Actions

Authored by aklapper on Jun 18 2024, 10:36.
Tags
None
Referenced Files
F3658147: D25694.1745454773.diff
Wed, Apr 23, 00:32
F3604473: D25694.1745202756.diff
Sun, Apr 20, 02:32
F3577018: D25694.1745076055.diff
Fri, Apr 18, 15:20
F3553263: D25694.1744925643.diff
Wed, Apr 16, 21:34
F3540310: D25694.1744896388.diff
Wed, Apr 16, 13:26
F3525884: D25694.1744823507.diff
Tue, Apr 15, 17:11
F3479759: D25694.1744765178.diff
Tue, Apr 15, 00:59
F3418886: D25694.1744620283.diff
Sun, Apr 13, 08:44
View All 40 Files
Subscribers
avivey
Cigaryno
l2dy
Matthew
speck
tobiaswiese
valerio.bozzolan

Details

Reviewers
None
Group Reviewers
O1: Blessed Committers
Maniphest Tasks
T15859: Set "preconnect" HTTP header when "security.alternate-file-domain" is set
Summary

When a CDN or alternate file domain is configured, reduce perceived latency by resolving DNS and establishing a connection.

See https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/rel/preconnect and https://we.phorge.it/book/phorge/article/configuring_file_domain/

Closes T15859

Test Plan
  1. Set http://phorge.localhost/config/edit/security.alternate-file-domain/ via ./bin/config set "security.alternate-file-domain" "https://whatever.example.com/"
  2. Open the "Network" tab in your web browser's "Developer Tools" and go to http://phorge.localhost/
  3. Check under "Headers" that "Response Headers" includes the new header Link: <https://whatever.example.com/>; rel="preconnect".

Diff Detail

Repository
rP Phorge
Branch
T15859preFetch (branched from master)
Lint
Lint Passed
Unit
Tests Passed
Build Status
Buildable 1352
Build 1352: arc lint + arc unit

Event Timeline

aklapper created this revision.Jun 18 2024, 10:36
Owners added a reviewer: O1: Blessed Committers.Jun 18 2024, 10:36
Herald added subscribers: Cigaryno, Matthew, valerio.bozzolan, tobiaswiese. · View Herald TranscriptJun 18 2024, 10:36
aklapper requested review of this revision.Jun 18 2024, 10:36
Harbormaster completed remote builds in B1352: Diff 2121.Jun 18 2024, 10:36
l2dy subscribed.Jun 18 2024, 14:13

Should the summary also include https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/rel/preconnect as a reference? https://developer.mozilla.org/en-US/docs/Web/Performance/dns-prefetch doesn't mention preconnect in the first few paragraphs, so it's somewhat confusing.

Preconnect is only useful if a page needs to make connections to third-party domains. It's unnecessary for AphrontAjaxResponse and redirects, so adding the header to the base class AphrontResponse is excessive. What do you think of moving it to AphrontHTMLResponse?

aklapper edited the summary of this revision. (Show Details)Jun 18 2024, 15:18

Good point, thanks! Updated.

speck subscribed.Jun 19 2024, 02:43
speck added inline comments.
src/aphront/response/AphrontResponse.php
115

Should this ensure cdn ends with ‘/‘? Unclear if that’s becessary

aklapper added inline comments.Jun 19 2024, 07:30
src/aphront/response/AphrontResponse.php
115

Testing locally, a trailing slash wasn't needed: I set security.alternate-file-domain to a non-existing domain like https://whatever.example.com and images/JS did not load as expected, and I set it to existing https://phab.wmfusercontent.org/ and could see in the browser's Developer Tools' network tab that it loaded resources from that domain.

avivey subscribed.Jun 19 2024, 08:11

What if $cdn has some evil characters? Do we have some escaping, or can it cause anything bad, or do we not care? Looks like we're including a bunch of other config as-is here, so maybe it's ok.

aklapper added a comment.EditedJun 19 2024, 09:37

can it cause anything bad

If the domain is invalid or does not host Phorge assets: Failing to load assets like CSS/images/JS as the resulting URIs are invalid.
If the domain is valid: In theory you could craft some evil JS if path and filename are what's expected by Phorge. But that is nothing to fix in this very setting which covers an alternative domain name only and can do nothing about content hosted on that domain.

Still, if an admin sets /config/edit/security.alternate-file-domain/ in the Phorge installation they are supposed to maintain to a domain not fully under their control or to include evil characters then I'd be way more worried about having system administrators who seem to have no clue what they are doing when pushing or tweaking random knobs in a piece of software.

aklapper added inline comments.Jun 19 2024, 09:49
src/aphront/response/AphrontResponse.php
115

My previous reply likely missed your actual point about trailing slashes: Both
./bin/config set "security.alternate-file-domain" "https://phab.wmfusercontent.org/"
and
./bin/config set "security.alternate-file-domain" "https://phab.wmfusercontent.org"
expose the very same behavior in the "network" browser tab (some expected CSP failures etc).

l2dy added inline comments.Jun 19 2024, 14:32
src/aphront/response/AphrontResponse.php
3

What do you think of moving the new header to AphrontHTMLResponse, or another class that better represents a document load in web browsers? AphrontResponse is too generic and covers many types of requests, in which Ajax and resource requests generally don't need the preconnect, because they generally do not set off new connections to a different domain.

valerio.bozzolan added a comment.Jun 21 2024, 00:12
In D25694#19020, @avivey wrote:

What if $cdn has some evil characters? Do we have some escaping

Premising that probably no need to escape headers:

https://stackoverflow.com/a/5677844/3451846

But yes, probably need to escape the URI inside <...>. The example is limited to the path, but probably relevant also for the domain itself:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Link#encoding_urls

valerio.bozzolan added a comment.Jun 26 2024, 09:12

After 15 minutes of reading stuff around on the web, I think we need a little help. Waiting for answers (and waiting for downvotes lol).

https://stackoverflow.com/q/78671273/3451846

aklapper added a comment.Jun 26 2024, 16:46

probably need to escape the URI

I'm not sure it matters for now as Phorge does not seem to accept non-ascii domains anyway (with a confusing error message):

[acko@fedora phorge (T15859preFetch *$|u+1)]$ ./bin/config set "security.alternate-file-domain" "https://苗条.example.com"
Usage Exception: Config option 'security.alternate-file-domain' is invalid. The URI must start with 'http://' or 'https://'.
[acko@fedora phorge (T15859preFetch *$|u+1)]$ ./bin/config set "security.alternate-file-domain" "https://áéexample.com"
Usage Exception: Config option 'security.alternate-file-domain' is invalid. The URI must start with 'http://' or 'https://'.

I could imagine something like $cdn = preg_replace_callback('/[^\x20-\x7f]/', function($match) { return rawurlencode($match[0]); }, $cdn); to work. Untested because above.

aklapper marked an inline comment as done.Jun 26 2024, 16:51
aklapper added inline comments.
src/aphront/response/AphrontResponse.php
3

Yes, that makes a lot of sense. Thanks, going to cover in the next revision

aklapper updated this revision to Diff 2153.EditedJun 26 2024, 16:52
aklapper marked an inline comment as done.

Move CDN check from generic AphrontResponse to more correct AphrontHTMLResponse.

I confirm this still sets the HTTP Header.

Harbormaster completed remote builds in B1372: Diff 2153.Jun 26 2024, 16:52
aklapper updated this revision to Diff 2154.Jun 26 2024, 16:59

Looks like installing php-xdebug forces me to set 'xdebug.mode' to 'coverage' in 'php.ini' to pass arc unit, no matter what...

Harbormaster completed remote builds in B1373: Diff 2154.Jun 26 2024, 16:59
aklapper added a comment.Jul 21 2024, 20:19

Would anyone be willing to give this another review? :)

aklapper mentioned this in Z1: Phorge.Aug 10 2024, 18:45

Revision Contents
Changeset List

PathSizePackages
src/
aphront/
response/
5 linesO1: Blessed Committers

Diff 2121

View Options

src/aphront/response/AphrontResponse.php

<?php <?php
abstract class AphrontResponse extends Phobject { abstract class AphrontResponse extends Phobject {
l2dyUnsubmitted
Done
Inline Actions

What do you think of moving the new header to AphrontHTMLResponse, or another class that better represents a document load in web browsers? AphrontResponse is too generic and covers many types of requests, in which Ajax and resource requests generally don't need the preconnect, because they generally do not set off new connections to a different domain.

l2dy: What do you think of moving the new header to `AphrontHTMLResponse`, or another class that…
aklapperAuthorUnsubmitted
Done
Inline Actions

Yes, that makes a lot of sense. Thanks, going to cover in the next revision

aklapper: Yes, that makes a lot of sense. Thanks, going to cover in the next revision
private $request; private $request;
private $cacheable = false; private $cacheable = false;
private $canCDN; private $canCDN;
private $responseCode = 200; private $responseCode = 200;
private $lastModified = null; private $lastModified = null;
private $contentSecurityPolicyURIs; private $contentSecurityPolicyURIs;
private $disableContentSecurityPolicy; private $disableContentSecurityPolicy;
▲ Show 20 LinesShow All 93 Lines▼ Show 20 Lines public function getHeaders() {
$csp = $this->newContentSecurityPolicyHeader(); $csp = $this->newContentSecurityPolicyHeader();
if ($csp !== null) { if ($csp !== null) {
$headers[] = array('Content-Security-Policy', $csp); $headers[] = array('Content-Security-Policy', $csp);
} }
$headers[] = array('Referrer-Policy', 'no-referrer'); $headers[] = array('Referrer-Policy', 'no-referrer');
$cdn = PhabricatorEnv::getEnvConfig('security.alternate-file-domain');
if ($cdn) {
$headers[] = array('Link', '<'.$cdn.'>; rel="preconnect"');
speckUnsubmitted
Not Done
Inline Actions

Should this ensure cdn ends with ‘/‘? Unclear if that’s becessary

speck: Should this ensure cdn ends with ‘/‘? Unclear if that’s becessary
aklapperAuthorUnsubmitted
Done
Inline Actions

Testing locally, a trailing slash wasn't needed: I set security.alternate-file-domain to a non-existing domain like https://whatever.example.com and images/JS did not load as expected, and I set it to existing https://phab.wmfusercontent.org/ and could see in the browser's Developer Tools' network tab that it loaded resources from that domain.

aklapper: Testing locally, a trailing slash wasn't needed: I set `security.alternate-file-domain` to a…
aklapperAuthorUnsubmitted
Done
Inline Actions

My previous reply likely missed your actual point about trailing slashes: Both
./bin/config set "security.alternate-file-domain" "https://phab.wmfusercontent.org/"
and
./bin/config set "security.alternate-file-domain" "https://phab.wmfusercontent.org"
expose the very same behavior in the "network" browser tab (some expected CSP failures etc).

aklapper: My previous reply likely missed your actual point about trailing slashes: Both `./bin/config…
}
foreach ($this->headers as $header) { foreach ($this->headers as $header) {
$headers[] = $header; $headers[] = $header;
} }
return $headers; return $headers;
} }
private function newContentSecurityPolicyHeader() { private function newContentSecurityPolicyHeader() {
▲ Show 20 LinesShow All 329 LinesShow Last 20 Lines
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under Apache 2.0 or other open source licenses. · CC BY-SA 4.0 · Apache 2.0