From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 26 Jun 2023 10:09:03 +0000 (+0000)
Subject: web: Improve caching of static content
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=90199689a559b667ed8c81cbf0d7efcda387cc03;p=ipfire.org.git

web: Improve caching of static content

We need to make sure that we don't let browsers cache anything when the
cookie changes (Vary: Cookie).

Furthermore, we want to make sure that public caches don't cache
anything when the content is sent to a logged in user (Cache-Control:
private).

Finally, we want to indicate to caches how long something can be cached
which we do with an additional Cache-Control header and Expires for
older clients.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/web/auth.py b/src/web/auth.py
index 792205fe..e06211fb 100644
--- a/src/web/auth.py
+++ b/src/web/auth.py
@@ -7,13 +7,7 @@ import urllib.parse
 from . import base
 
 class CacheMixin(object):
-	def prepare(self):
-		# Mark this as private when someone is logged in
-		if self.current_user:
-			self.add_header("Cache-Control", "private")
-
-		self.add_header("Cache-Control", "no-store")
-
+	pass
 
 class AuthenticationMixin(CacheMixin):
 	def login(self, account):
diff --git a/src/web/base.py b/src/web/base.py
index 376eff73..453400ea 100644
--- a/src/web/base.py
+++ b/src/web/base.py
@@ -36,13 +36,21 @@ class ratelimit(object):
 
 
 class BaseHandler(tornado.web.RequestHandler):
+	def prepare(self):
+		# Mark this as private when someone is logged in
+		if self.current_user:
+			self.set_header("Cache-Control", "private")
+
+		# Always send Vary: Cookie
+		self.set_header("Vary", "Cookie")
+
 	def set_expires(self, seconds):
 		# For HTTP/1.1
 		self.add_header("Cache-Control", "max-age=%s, must-revalidate" % seconds)
 
 		# For HTTP/1.0
 		expires = datetime.datetime.utcnow() + datetime.timedelta(seconds=seconds)
-		self.add_header("Expires", expires)
+		self.set_header("Expires", expires)
 
 	def write_error(self, status_code, **kwargs):
 		# Translate code into message
@@ -53,12 +61,6 @@ class BaseHandler(tornado.web.RequestHandler):
 
 		self.render("error.html", status_code=status_code, message=message, **kwargs)
 
-	def xsrf_form_html(self, *args, **kwargs):
-		# Set Vary: Cookie header
-		self.add_header("Vary", "Cookie")
-
-		return super().xsrf_form_html(*args, **kwargs)
-
 	@property
 	def hostname(self):
 		# Return hostname in production