From 9c9872ebaccc75fda922d7fa5c93f26490ebcdde Mon Sep 17 00:00:00 2001 From: Sam Minnee Date: Wed, 4 Jul 2018 13:35:47 +1200 Subject: [PATCH 1/3] FIX: Remove X-Requested-With from default Vary header. The X-Requested-With header does modify the result of Director::is_ajax and so this should strictly be in there. In practise, this can cause issues with CDNs such as Incapsula, and LeftAndMain adds this vary header itself, which is the principle place where Director::is_ajax is used. --- _config/config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_config/config.yml b/_config/config.yml index 424b8145b..8be36b35d 100644 --- a/_config/config.yml +++ b/_config/config.yml @@ -16,7 +16,7 @@ HTTP: no-cache: "true" no-store: "true" must-revalidate: "true" - vary: "X-Requested-With, X-Forwarded-Protocol" + vary: "X-Forwarded-Protocol" LeftAndMain: dependencies: versionProvider: %$SilverStripeVersionProvider From 72ce2b422deecd567977c6b85270475ea0877a69 Mon Sep 17 00:00:00 2001 From: Sam Minnee Date: Wed, 4 Jul 2018 15:55:52 +1200 Subject: [PATCH 2/3] Update docs for Vary: X-Requested-With --- control/Director.php | 3 +++ .../08_Performance/02_HTTP_Cache_Headers.md | 5 ++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/control/Director.php b/control/Director.php index d6ddc97ca..3f62ecc39 100644 --- a/control/Director.php +++ b/control/Director.php @@ -918,6 +918,9 @@ class Director implements TemplateGlobalProvider { * by checking for a custom header set by jQuery or * wether a manually set request-parameter 'ajax' is present. * + * Note that if you plan to use this to alter your HTTP response on a cached page, + * you should add X-Requested-With to the Vary header. + * * @return boolean */ public static function is_ajax() { diff --git a/docs/en/02_Developer_Guides/08_Performance/02_HTTP_Cache_Headers.md b/docs/en/02_Developer_Guides/08_Performance/02_HTTP_Cache_Headers.md index c47c1fcd6..e4df33def 100644 --- a/docs/en/02_Developer_Guides/08_Performance/02_HTTP_Cache_Headers.md +++ b/docs/en/02_Developer_Guides/08_Performance/02_HTTP_Cache_Headers.md @@ -209,7 +209,7 @@ when calculating a cache key, usually in addition to the full URL path. By default, SilverStripe will output a `Vary` header with the following content: ``` -Vary: X-Requested-With, X-Forwarded-Protocol +Vary: X-Forwarded-Protocol ``` To change the value of the `Vary` header, you can change this value by specifying the header in configuration. @@ -218,3 +218,6 @@ To change the value of the `Vary` header, you can change this value by specifyin HTTP: vary: "" ``` + +Note that if you use `Director::is_ajax()` on cached pages then you should add `X-Requested-With` to the vary +header. From fa7f1954be4c2548e8bfd16b07bd3537f11f839f Mon Sep 17 00:00:00 2001 From: Sam Minnee Date: Wed, 4 Jul 2018 15:56:47 +1200 Subject: [PATCH 3/3] Fix test to match --- tests/control/HTTPTest.php | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/control/HTTPTest.php b/tests/control/HTTPTest.php index 9beb38f15..9b377cc70 100644 --- a/tests/control/HTTPTest.php +++ b/tests/control/HTTPTest.php @@ -77,7 +77,6 @@ class HTTPTest extends FunctionalTest { $this->assertNotEmpty($v); $this->assertContains("X-Forwarded-Protocol", $v); - $this->assertContains("X-Requested-With", $v); $this->assertNotContains("Cookie", $v); $this->assertNotContains("User-Agent", $v); $this->assertNotContains("Accept", $v);