gateway: CORS and `Cache-Control: only-if-cached`

Question

gateway: CORS and `Cache-Control: only-if-cached`

MarcoPolo opened this issue 2 years ago · 1 comments

Without this you cannot make a CORS request for content with the Cache-Controle header.

For example, this request to check if the gateway has the cid in cache fails (from a different origin):

await fetch(new Request(`${url}/ipfs/${cid.toString()}/`, { method: 'HEAD', headers: { 'Cache-Control': 'only-if-cached' } }))

A server should be able to fix this by setting the header

"Access-Control-Allow-Headers"="Cache-Control"

This should probably be mentioned here: https://specs.ipfs.tech/http-gateways/path-gateway/#cache-control-request-header.

I believe @lidel mentioned setting this header alone might not be enough, but from some local testing, it seems to work fine(?)

Answer 1 · 2023-04-21T14:40:09.000Z

Thanks for raising this issue @MarcoPolo

The problem I mentioned was browsers blocking only-if-cached in cross-origin requests. There was some back and forth around this (whatwg/fetch#159, whatwg/fetch#295) and https://fetch.spec.whatwg.org states:

"only-if-cached"
Fetch uses any response in the HTTP cache matching the request, not paying attention to staleness. If there was no response, it returns a network error. (Can only be used when request’s mode is "same-origin". Any cached redirects will be followed assuming request’s redirect mode is "follow" and the redirects do not violate request’s mode.)

Thing to confirm to check if setting Access-Control-Allow-Headers lifts the "Can only be used when request’s mode is same-origin" limitation in all browsers (Chromium, Firefox, Safari) and allows example.com to do cross-origin fetch from ipfs.io.

If setting Access-Control-Allow-Headers is enough, I agree, we should document it in the spec. I think we need a dedicated CORS section in "Notes for implementers" anyway (some prior art in /routing/v1 spec)

If it is not enough, then we may need IPFS-specific solution, probably a dedicated HTTP header Ipfs-Cache-Control and URL query parameter for controlling the cache behavior beyong HTTP semantics ('get', 'has' 'get-only-if-has'). But would be nicer if we don't need this.

@MarcoPolo Would you have time to check current state of only-if-cached and open a PR to update specs to make it work?

We would then apply fix in boxo/gateway and add conformance tests to https://github.com/ipfs/gateway-conformance.