Cache cannot distinguish between OPTIONS and GET #20202
Comments
|
|
|
Just a follow up on this one, I confirm the issue is not present on Symfony 3.1.2, so that I think this also comes from the same commit which caused #19582 (OPTIONS method is now considered as safe). |
|
I think its not as easy as just putting the request method into the cache key generation 😉 As far as I can see the HttpCache will try to return a cached reponse for a previous Added a test case to confirm the issue here: 78c4a0c Headers should not be part of the cache key like @stof said. That's what the Vary headers are meant to be used for 😉 |
|
But OPTIONS requests are not cacheable. So the only thing we have to solve is to bypass the cache entirely in this case (thus no cache key building involved), right? |
|
@xabbuh ah good point 😊 👍 Will simply adjust my branch and create a PR then 😉 |
|
Instead of hardcoding this behavior in the |
|
@dunglas agreed 😊 Makes sense. Updated my PR. |
This PR was merged into the 2.7 branch. Discussion ---------- [HttpCache] fix: do not cache OPTIONS request | Q | A | ------------- | --- | Branch? | 2.7 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #20202 | License | MIT | Doc PR | - The HttpCache should not cache any OPTIONS request as they are by spec not cacheable (mentioned here #20202 (comment) by @xabbuh). Commits ------- c43de7f [HttpCache] fix: do not cache OPTIONS request
That should not apply so cleanly to a reverse caching proxy. CORS preflight requests hitting the app can take much longer than necessary, when they can actually be cached and served from the reverse proxy. |
|
@teohhanhui I don't see where you can take that from the RFC. IMO it's very clear about the possibility to cache OPTIONS requests. |
|
@xabbuh The RFC sets out the rule for HTTP caching. The AppCache, like Varnish, is not (just) a HTTP cache. A reverse caching proxy is properly part of the web server because out-of-band information can be used to allow caching where it's not usually possible. |
Hello,
I just ran into an issue with Symfony 3.1.5 concerning the HttpCache mechanism, which sends back the content of a GET method while executing an OPTIONS call.
I have a JS application which calls an API. This app uses CORS preflight OPTIONS calls to determine if he can call the API. Cache is configured on some public APIs.
On a basic example here is what happens:
I found that because the Store::generateCacheKey() method only uses the Uri to compute the cache the key, then HttpCache thinks it has found a cached version of the OPTIONS call and sends back the headers and body of the GET call instead.
I think the generateCacheKey should at least use the method when computing the key, and maybe headers like Accept-*.
The text was updated successfully, but these errors were encountered: