Redirect /serviceworker.js to assets/ #15823
Conversation
Signed-off-by: Andrew Thornton <art27@cantab.net>
GiteaBot
added
the
lgtm/need 1
techknowlogick
added
the
skip-changelog
|
I think this may be old serviceworker instances that are trying to self-update. The new ones should be on the correct path. It may be possible to cleanly unregister the old instances from JS, but I'm not exactly sure how to do it. |
| @@ -162,6 +162,9 @@ func WebRoutes() *web.Route { | |||
| // We use r.Route here over r.Use because this prevents requests that are not for avatars having to go through this additional handler | |||
| routes.Route("/avatars/*", "GET, HEAD", storageHandler(setting.Avatar.Storage, "avatars", storage.Avatars)) | |||
| routes.Route("/repo-avatars/*", "GET, HEAD", storageHandler(setting.RepoAvatar.Storage, "repo-avatars", storage.RepoAvatars)) | |||
| routes.Route("/serviceworker.js", "GET, HEAD", http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) { | |||
| http.Redirect(resp, req, setting.AppURL+"assets/serviceworker.js", http.StatusFound) | |||
There was a problem hiding this comment.
| http.Redirect(resp, req, setting.AppURL+"assets/serviceworker.js", http.StatusFound) | |
| http.Redirect(resp, req, setting.AppURL+"assets/serviceworker.js", http.StatusTemporaryRedirect) |
We should only use 307 or 308 redirects because those forbid method change which is better for both functionality and security.
There was a problem hiding this comment.
I'm not certain I understand how security or functionality could affected by posts etc being redirected to assets - in fact it would be better if they were.
There was a problem hiding this comment.
Does the web browser support the redirect?
There was a problem hiding this comment.
It does not matter for GET requests but for other methods, browsers may decide to change method to GET based on obscure criteria related to HTML forms which I think is an outdated concept. See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections#temporary_redirections for more details.
Security can be impacted of POST to a endpoint with credentials where a change to GET would move potentially sensitive parameters from request body to request URL, adding them to the browser history and making them visible in server logs. For that reason alone, I never use 301, 302 or 303, only 307 and 308 which of course all browsers support.
|
Don't forgot add |
|
I think it's okay to add routes example: navigator.serviceWorker.register(`${AppSubUrl}/serviceworker.js`, {scope: '/assets'}), |
As far as I understood it already was. |
I don't understand what you mean. |
Yes I'm not certain why these requests are being made either. It could be due to chrome's setting UpdateOnReload in the developer settings but I don't understand why it would actually request this. AFAIU the service worker should now be embedded. However given this repeated querying I think we do have to redirect it. |
|
I think we just should instead cleanly unregister all service workers in JS that are not on the current (await navigator.serviceWorker.getRegistrations()).map(r => r.scope)
// => [ "https://try.gitea.io/", "https://try.gitea.io/assets/" ]I will try to come up with something. |
Adding a
|
This comment has been minimized.
This comment has been minimized.
|
agh it must have been moved out when we did the assets change - thanks @a1012112796 I'll add it back in. I don't think we really want to allow a user to be named serviceworker.js anyway. Hopefully @silverwind will figure out how to make this PR completely unnecessary. |
Signed-off-by: Andrew Thornton <art27@cantab.net>
|
Alternative PR: #15834 |
With the addition of the /assets url, users who visited a previous version of the site now may have two active service workers, one with the old scope `/` and one with scope `/assets`. This check for serviceworkers that do not match the current script path and unregisters them. Also included is a small refactor to publicpath.js which was simplified because AssetUrlPrefix is always present now. Also it makes use of the new joinPaths helper too. Fixes: go-gitea#15823
Codecov Report
@@ Coverage Diff @@
## main #15823 +/- ##
==========================================
+ Coverage 43.98% 44.00% +0.01%
==========================================
Files 680 681 +1
Lines 82212 82231 +19
==========================================
+ Hits 36162 36182 +20
- Misses 40134 40139 +5
+ Partials 5916 5910 -6
Continue to review full report at Codecov.
|
* Unregister non-matching serviceworkers With the addition of the /assets url, users who visited a previous version of the site now may have two active service workers, one with the old scope `/` and one with scope `/assets`. This check for serviceworkers that do not match the current script path and unregisters them. Also included is a small refactor to publicpath.js which was simplified because AssetUrlPrefix is always present now. Also it makes use of the new joinPaths helper too. Fixes: #15823
* Unregister non-matching serviceworkers With the addition of the /assets url, users who visited a previous version of the site now may have two active service workers, one with the old scope `/` and one with scope `/assets`. This check for serviceworkers that do not match the current script path and unregisters them. Also included is a small refactor to publicpath.js which was simplified because AssetUrlPrefix is always present now. Also it makes use of the new joinPaths helper too. Fixes: go-gitea#15823
Since we moved the assets to the /assets there are multiple requests to serviceworker.js that are getting 404'd.
This PR simply redirects requests to /assets.
Signed-off-by: Andrew Thornton art27@cantab.net