rack-steady_etag 0.3.1 → 0.3.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -1
- data/Gemfile.lock +1 -1
- data/README.md +2 -1
- data/lib/rack/steady_etag/version.rb +1 -1
- data/lib/rack/steady_etag.rb +11 -2
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: bcfda15fd495c39d8c54909f7c634bc117180278a69d1d5950009c5e50b65f66
|
|
4
|
+
data.tar.gz: 77fc5f0e7e53af4dd3f30aaa9617775f636e38b340a3cd0789dfbc1db3473a1f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 769df0e0d8ef0f037f4c176b83f6639a08fce011c18bcc6d718fb5b2b56040be2512c751fb77b17c4d9da65ceae8f72d785a3a4cc4fa0b3b670824dbf9666223
|
|
7
|
+
data.tar.gz: 8af6b7f73d97c396e6acbdc505a28fe0519f765684aad151d19cef2e1b0d79c2e364fb929a153a58d07d364d2b4bb23df677214f074f3e1fa971f787e2d6f69e
|
data/CHANGELOG.md
CHANGED
|
@@ -2,9 +2,12 @@ All notable changes to this project will be documented in this file.
|
|
|
2
2
|
|
|
3
3
|
This project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
|
|
4
4
|
|
|
5
|
-
|
|
6
5
|
## Unreleased
|
|
7
6
|
|
|
7
|
+
## 0.3.2 - 2022-07-29
|
|
8
|
+
|
|
9
|
+
- Digest includes the [unmasked Rails CSRF token](https://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html#method-i-real_csrf_token) in case a Rails controller manually rotates the token.
|
|
10
|
+
|
|
8
11
|
## 0.3.1 - 2022-07-19
|
|
9
12
|
|
|
10
13
|
- Fix a bug where we would not strip HTML responses with an embedded charset (e.g. `text/html; charset=utf-8`).
|
data/Gemfile.lock
CHANGED
data/README.md
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
# Rack::SteadyETag
|
|
2
2
|
|
|
3
|
-
`Rack::SteadyETag` is a Rack middleware that generates the same default [`ETag`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ETag) for responses that only differ in CSRF tokens or CSP nonces.
|
|
3
|
+
`Rack::SteadyETag` is a Rack middleware that generates the same default [`ETag`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ETag) for responses that only differ in XOR-masked CSRF tokens or CSP nonces.
|
|
4
4
|
|
|
5
5
|
By default Rails uses [`Rack::ETag`](https://rdoc.info/github/rack/rack/Rack/ETag) to generate `ETag` headers by hashing the response body. In theory this would [enable caching](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-None-Match) for multiple requests to the same resource. However, since most Rails application layouts insert randomly rotating CSRF tokens and CSP nonces into the HTML, two requests for the same content and user will never produce the same response bytes. This means `Rack::ETag` will never send the same ETag twice, causing responses to [never hit a cache](https://github.com/rails/rails/issues/29889).
|
|
6
6
|
|
|
@@ -46,6 +46,7 @@ This middleware can also add a default `Cache-Control` header for responses it *
|
|
|
46
46
|
## Covered edge cases
|
|
47
47
|
|
|
48
48
|
- Different `ETags` are generated when the same content is accessed with different Rack sessions.
|
|
49
|
+
- Different `ETags` are generated when a Rails controller manually rotates the CSRF token.
|
|
49
50
|
- `ETags` are only generated when the response is `Cache-Control: private` (this is a default in Rails).
|
|
50
51
|
- No `ETag` is generated when the response already has an `ETag` header.
|
|
51
52
|
- No `ETag` is generated when the response already has an `Last-Modified` header.
|
data/lib/rack/steady_etag.rb
CHANGED
|
@@ -135,8 +135,17 @@ module Rack
|
|
|
135
135
|
def initialize_digest(session)
|
|
136
136
|
digest = Digest::SHA256.new
|
|
137
137
|
|
|
138
|
-
if session
|
|
139
|
-
|
|
138
|
+
if session
|
|
139
|
+
if (session_id = session['session_id'])
|
|
140
|
+
digest << session_id.to_s
|
|
141
|
+
end
|
|
142
|
+
|
|
143
|
+
# When we sign in or out with Devise, we always get a new session ID
|
|
144
|
+
# and CSRF token. Lets anyway include the real (unmasked) CSRF token in the
|
|
145
|
+
# digest in case a Rails controller manually rotates the token.
|
|
146
|
+
if (rails_csrf_token = session['_csrf_token'])
|
|
147
|
+
digest << rails_csrf_token.to_s
|
|
148
|
+
end
|
|
140
149
|
end
|
|
141
150
|
|
|
142
151
|
digest
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack-steady_etag
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.3.
|
|
4
|
+
version: 0.3.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Henning Koch
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-07-
|
|
11
|
+
date: 2022-07-29 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rack
|