question: http2_push_preload request with cookie

powiii corestudiosinc at gmail.com
Wed Jul 25 13:01:31 UTC 2018


Hello.

I've recently experimented with the `http2_push_preload` directive to preemptively
submit a response to an XHR request. I've noticed that in the request that nginx
performs to fetch the hinted resource, no cookies are submitted. However, Chrome
does not consider the cached response a candidate for serving the actual XHR that is later
sent by the client, which contains `withCredentials=true` and does contain cookies.

This is problematic in scenarios where cookies are required to be present. For example,
assume the following case:

- a logged in user visits page A that we know will trigger an XHR to B.json
- information about the session of the user is persisted in a cookie
- B.json can only be served to logged in users
- we want to push B.json to the client using an early hint, since we know it'll be needed

what happens now is the following:

1) Chrome requests page A, nginx responds with page A and an early hint for B.json
2) nginx requests B.json *without* sending any cookies
3) Chrome fetches response for A and B.json
3) Chrome performs an XHR(withCredentials=true) to fetch B.json and does not use B.json from the push cache,
 since it considers it a different request altogether

My question is: how are we supposed to treat such a case? Are there any plans to support this?

Thanks in advance,

P.S. The ruby script I've used is the following and can be run with `bundle exec rackup test.rb` (requires ruby and bundler):

```
require 'rack'
require 'webrick'

XHR = "/foo.json"

body = %{
<html>
<head></head>
<body>
 I'm the homepage and I'm performing an XHR

 <script>
         var oReq = new XMLHttpRequest();
         oReq.open("GET", "#{XHR}");

         // if set to true, it doesn't work in Chrome
         oReq.withCredentials = false;
         oReq.send();
 </script>
</body>
</html>
}

require 'pp'
app = Proc.new do |env|
     puts
     if env["PATH_INFO"].include?(".json")
             ['200', {'Content-Type' => 'application/json'}, ['{"foo":"bar"}']]
     else
             ['200', {'Content-Type' => 'text/html', "Link" => "<#{XHR}>; rel=preload; as=fetch; crossorigin"}, [body]]
     end
end

Rack::Handler::WEBrick.run(app, Port: 8123)
```

OS: Darwin 17.4.0 Darwin Kernel Version 17.4.0: Sun Dec 17 09:19:54 PST 2017; root:xnu-4570.41.2~1/RELEASE_X86_64 x86_64

nginx version: nginx/1.15.1
built by clang 9.1.0 (clang-902.0.39.2)
built with OpenSSL 1.0.2o  27 Mar 2018
TLS SNI support enabled
configure arguments: --prefix=/usr/local/Cellar/nginx/1.15.1 --sbin-path=/usr/local/Cellar/nginx/1.15.1/bin/nginx --with-cc-opt='-I/usr/local/opt/pcre/include -I/usr/local/opt/openssl/include' --with-ld-opt='-L/usr/local/opt/pcre/lib -L/usr/local/opt/openssl/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --pid-path=/usr/local/var/run/nginx.pid --lock-path=/usr/local/var/run/nginx.lock --http-client-body-temp-path=/usr/local/var/run/nginx/client_body_temp --http-proxy-temp-path=/usr/local/var/run/nginx/proxy_temp --http-fastcgi-temp-path=/usr/local/var/run/nginx/fastcgi_temp --http-uwsgi-temp-path=/usr/local/var/run/nginx/uwsgi_temp --http-scgi-temp-path=/usr/local/var/run/nginx/scgi_temp --http-log-path=/usr/local/var/log/nginx/access.log --error-log-path=/usr/local/var/log/nginx/error.log --with-debug --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_degradation_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-ipv6 --with-mail --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module


More information about the nginx mailing list