You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by Jacques Le Roux <ja...@les7arts.com> on 2018/05/18 13:47:47 UTC
Update our HTTP headers
Hi,
At https://issues.apache.org/jira/browse/OFBIZ-6766 I have attached a minor OFBIZ-6766-UtilHttp.java.patch for updating our HTTP headers
I think it's OK to commit, but before I'd like to know if we really want to keep x-ua-compatible in several *.html files.
https://stackoverflow.com/questions/26346917/why-use-x-ua-compatible-ie-edge-anymore
I ever wonder who uses Windows nowadays (kidding ;))
Jacques
Re: Update our HTTP headers
Posted by Paul Foxworthy <pa...@cohsoft.com.au>.
Hi Jacques,
I'm happy to get rid of X-UA-Compatible.
Cheers
Paul Foxworthy
On 18 May 2018 at 23:47, Jacques Le Roux <ja...@les7arts.com>
wrote:
> Hi,
>
> At https://issues.apache.org/jira/browse/OFBIZ-6766 I have attached a
> minor OFBIZ-6766-UtilHttp.java.patch for updating our HTTP headers
>
> I think it's OK to commit, but before I'd like to know if we really want
> to keep x-ua-compatible in several *.html files.
>
> https://stackoverflow.com/questions/26346917/why-use-x-ua-
> compatible-ie-edge-anymore
>
> I ever wonder who uses Windows nowadays (kidding ;))
>
> Jacques
>
>
--
Coherent Software Australia Pty Ltd
PO Box 2773
Cheltenham Vic 3192
Australia
Phone: +61 3 9585 6788
Web: http://www.coherentsoftware.com.au/
Email: info@coherentsoftware.com.au
Re: Update our HTTP headers
Posted by Jacques Le Roux <ja...@les7arts.com>.
It's not related to IE, finally we have not problems with x-ua-compatible
Private is well explained in the 2 1st links.
Jacques
Le 23/05/2018 à 15:07, Taher Alkhateeb a écrit :
> There are at least 4 links and many comments in the JIRA, I'm not sure
> which one are you referring to. Anyway, it sounds correct because it
> is utilized from the function "setResponseBrowserProxyNoCache(...)"
>
> So I think it looks fine. Good job with the research. IE continues to
> cause so much headache.
>
> +1
>
> On Wed, May 23, 2018 at 1:03 PM, Jacques Le Roux
> <ja...@les7arts.com> wrote:
>> Le 21/05/2018 à 20:13, Taher Alkhateeb a écrit :
>>> HTTP headers setting is a complex topic with lots of details. I think
>>> we need a comprehensive source and a discussion on best practices,
>> Does not the special page I created in the wiki help?
>>
>>> maybe we should make some of the headers configurable where needed?
>> Yes why not, we can use the current values as default. They are set to
>> guarantee security. The only one which can be defaulted (but to only report)
>> is a CSP policy. Because it depends on users needs.
>>
>>> Now with respect to adding the "Cache-Control", "no-store, no-cache,
>>> must-revalidate, private", I'm not very experienced in that area, but
>>> wouldn't that affect environments where OFBiz is deployed behind a
>>> caching server? Or is this scenario non existent?
>> The idea with private is to prevent the proxy (aka caching server I guess)
>> to cache something it should not. Please refer to the documentation in the
>> commit
>>
>> Jacques
>>
>>> On Sun, May 20, 2018 at 12:22 PM, Jacques Le Roux
>>> <ja...@les7arts.com> wrote:
>>>> Hi Deepak,
>>>>
>>>> Right, I missed that apart in helpdoc the others are under
>>>> build/reports/tests/test and under jQuery
>>>>
>>>> So nothing to worry about, I'll commit the patch in one week
>>>>
>>>> Jacques
>>>>
>>>>
>>>>
>>>> Le 20/05/2018 à 10:16, Deepak Dixit a écrit :
>>>>> Hi Taher,
>>>>>
>>>>> x-ua-compatible used in html file directly and I think its used only in
>>>>> helpdoc html content,
>>>>>
>>>>> Jacques Comments from task:
>>>>>>> I have attached the OFBIZ-6766-UtilHttp.java.patch and will ask about
>>>>> x-ua-compatible on dev ML before committing
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Thanks & Regards
>>>>> --
>>>>> Deepak Dixit
>>>>> www.hotwax.co
>>>>>
>>>>> On Sat, May 19, 2018 at 11:50 PM, Taher Alkhateeb <
>>>>> slidingfilaments@gmail.com> wrote:
>>>>>
>>>>>> Hi Jacques,
>>>>>>
>>>>>> I could be mistaken, but looking at the patch I did not see anything
>>>>>> related to x-ua-compatible. Am I looking at the right JIRA 6766? It
>>>>>> only has one attachment that sets the Cache-Control flags?
>>>>>>
>>>>>> On Fri, May 18, 2018 at 4:47 PM, Jacques Le Roux
>>>>>> <ja...@les7arts.com> wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> At https://issues.apache.org/jira/browse/OFBIZ-6766 I have attached a
>>>>>> minor
>>>>>>> OFBIZ-6766-UtilHttp.java.patch for updating our HTTP headers
>>>>>>>
>>>>>>> I think it's OK to commit, but before I'd like to know if we really
>>>>>>> want
>>>>>> to
>>>>>>> keep x-ua-compatible in several *.html files.
>>>>>>>
>>>>>>> https://stackoverflow.com/questions/26346917/why-use-x-
>>>>>> ua-compatible-ie-edge-anymore
>>>>>>> I ever wonder who uses Windows nowadays (kidding ;))
>>>>>>>
>>>>>>> Jacques
>>>>>>>
Re: Update our HTTP headers
Posted by Taher Alkhateeb <sl...@gmail.com>.
There are at least 4 links and many comments in the JIRA, I'm not sure
which one are you referring to. Anyway, it sounds correct because it
is utilized from the function "setResponseBrowserProxyNoCache(...)"
So I think it looks fine. Good job with the research. IE continues to
cause so much headache.
+1
On Wed, May 23, 2018 at 1:03 PM, Jacques Le Roux
<ja...@les7arts.com> wrote:
> Le 21/05/2018 à 20:13, Taher Alkhateeb a écrit :
>>
>> HTTP headers setting is a complex topic with lots of details. I think
>> we need a comprehensive source and a discussion on best practices,
>
> Does not the special page I created in the wiki help?
>
>> maybe we should make some of the headers configurable where needed?
>
> Yes why not, we can use the current values as default. They are set to
> guarantee security. The only one which can be defaulted (but to only report)
> is a CSP policy. Because it depends on users needs.
>
>> Now with respect to adding the "Cache-Control", "no-store, no-cache,
>> must-revalidate, private", I'm not very experienced in that area, but
>> wouldn't that affect environments where OFBiz is deployed behind a
>> caching server? Or is this scenario non existent?
>
> The idea with private is to prevent the proxy (aka caching server I guess)
> to cache something it should not. Please refer to the documentation in the
> commit
>
> Jacques
>
>>
>> On Sun, May 20, 2018 at 12:22 PM, Jacques Le Roux
>> <ja...@les7arts.com> wrote:
>>>
>>> Hi Deepak,
>>>
>>> Right, I missed that apart in helpdoc the others are under
>>> build/reports/tests/test and under jQuery
>>>
>>> So nothing to worry about, I'll commit the patch in one week
>>>
>>> Jacques
>>>
>>>
>>>
>>> Le 20/05/2018 à 10:16, Deepak Dixit a écrit :
>>>>
>>>> Hi Taher,
>>>>
>>>> x-ua-compatible used in html file directly and I think its used only in
>>>> helpdoc html content,
>>>>
>>>> Jacques Comments from task:
>>>>>>
>>>>>> I have attached the OFBIZ-6766-UtilHttp.java.patch and will ask about
>>>>
>>>> x-ua-compatible on dev ML before committing
>>>>
>>>>
>>>>
>>>>
>>>> Thanks & Regards
>>>> --
>>>> Deepak Dixit
>>>> www.hotwax.co
>>>>
>>>> On Sat, May 19, 2018 at 11:50 PM, Taher Alkhateeb <
>>>> slidingfilaments@gmail.com> wrote:
>>>>
>>>>> Hi Jacques,
>>>>>
>>>>> I could be mistaken, but looking at the patch I did not see anything
>>>>> related to x-ua-compatible. Am I looking at the right JIRA 6766? It
>>>>> only has one attachment that sets the Cache-Control flags?
>>>>>
>>>>> On Fri, May 18, 2018 at 4:47 PM, Jacques Le Roux
>>>>> <ja...@les7arts.com> wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> At https://issues.apache.org/jira/browse/OFBIZ-6766 I have attached a
>>>>>
>>>>> minor
>>>>>>
>>>>>> OFBIZ-6766-UtilHttp.java.patch for updating our HTTP headers
>>>>>>
>>>>>> I think it's OK to commit, but before I'd like to know if we really
>>>>>> want
>>>>>
>>>>> to
>>>>>>
>>>>>> keep x-ua-compatible in several *.html files.
>>>>>>
>>>>>> https://stackoverflow.com/questions/26346917/why-use-x-
>>>>>
>>>>> ua-compatible-ie-edge-anymore
>>>>>>
>>>>>> I ever wonder who uses Windows nowadays (kidding ;))
>>>>>>
>>>>>> Jacques
>>>>>>
>
Re: Update our HTTP headers
Posted by Jacques Le Roux <ja...@les7arts.com>.
Le 21/05/2018 à 20:13, Taher Alkhateeb a écrit :
> HTTP headers setting is a complex topic with lots of details. I think
> we need a comprehensive source and a discussion on best practices,
Does not the special page I created in the wiki help?
> maybe we should make some of the headers configurable where needed?
Yes why not, we can use the current values as default. They are set to guarantee security. The only one which can be defaulted (but to only report) is
a CSP policy. Because it depends on users needs.
> Now with respect to adding the "Cache-Control", "no-store, no-cache,
> must-revalidate, private", I'm not very experienced in that area, but
> wouldn't that affect environments where OFBiz is deployed behind a
> caching server? Or is this scenario non existent?
The idea with private is to prevent the proxy (aka caching server I guess) to cache something it should not. Please refer to the documentation in the
commit
Jacques
>
> On Sun, May 20, 2018 at 12:22 PM, Jacques Le Roux
> <ja...@les7arts.com> wrote:
>> Hi Deepak,
>>
>> Right, I missed that apart in helpdoc the others are under
>> build/reports/tests/test and under jQuery
>>
>> So nothing to worry about, I'll commit the patch in one week
>>
>> Jacques
>>
>>
>>
>> Le 20/05/2018 à 10:16, Deepak Dixit a écrit :
>>> Hi Taher,
>>>
>>> x-ua-compatible used in html file directly and I think its used only in
>>> helpdoc html content,
>>>
>>> Jacques Comments from task:
>>>>> I have attached the OFBIZ-6766-UtilHttp.java.patch and will ask about
>>> x-ua-compatible on dev ML before committing
>>>
>>>
>>>
>>>
>>> Thanks & Regards
>>> --
>>> Deepak Dixit
>>> www.hotwax.co
>>>
>>> On Sat, May 19, 2018 at 11:50 PM, Taher Alkhateeb <
>>> slidingfilaments@gmail.com> wrote:
>>>
>>>> Hi Jacques,
>>>>
>>>> I could be mistaken, but looking at the patch I did not see anything
>>>> related to x-ua-compatible. Am I looking at the right JIRA 6766? It
>>>> only has one attachment that sets the Cache-Control flags?
>>>>
>>>> On Fri, May 18, 2018 at 4:47 PM, Jacques Le Roux
>>>> <ja...@les7arts.com> wrote:
>>>>> Hi,
>>>>>
>>>>> At https://issues.apache.org/jira/browse/OFBIZ-6766 I have attached a
>>>> minor
>>>>> OFBIZ-6766-UtilHttp.java.patch for updating our HTTP headers
>>>>>
>>>>> I think it's OK to commit, but before I'd like to know if we really want
>>>> to
>>>>> keep x-ua-compatible in several *.html files.
>>>>>
>>>>> https://stackoverflow.com/questions/26346917/why-use-x-
>>>> ua-compatible-ie-edge-anymore
>>>>> I ever wonder who uses Windows nowadays (kidding ;))
>>>>>
>>>>> Jacques
>>>>>
Re: Update our HTTP headers
Posted by Taher Alkhateeb <sl...@gmail.com>.
Ok so that's why we should generally try to avoid mixing topics
together in the same thread, that's what threw me off into a tangent.
HTTP headers setting is a complex topic with lots of details. I think
we need a comprehensive source and a discussion on best practices,
maybe we should make some of the headers configurable where needed?
Now with respect to adding the "Cache-Control", "no-store, no-cache,
must-revalidate, private", I'm not very experienced in that area, but
wouldn't that affect environments where OFBiz is deployed behind a
caching server? Or is this scenario non existent?
On Sun, May 20, 2018 at 12:22 PM, Jacques Le Roux
<ja...@les7arts.com> wrote:
> Hi Deepak,
>
> Right, I missed that apart in helpdoc the others are under
> build/reports/tests/test and under jQuery
>
> So nothing to worry about, I'll commit the patch in one week
>
> Jacques
>
>
>
> Le 20/05/2018 à 10:16, Deepak Dixit a écrit :
>>
>> Hi Taher,
>>
>> x-ua-compatible used in html file directly and I think its used only in
>> helpdoc html content,
>>
>> Jacques Comments from task:
>>>>
>>>> I have attached the OFBIZ-6766-UtilHttp.java.patch and will ask about
>>
>> x-ua-compatible on dev ML before committing
>>
>>
>>
>>
>> Thanks & Regards
>> --
>> Deepak Dixit
>> www.hotwax.co
>>
>> On Sat, May 19, 2018 at 11:50 PM, Taher Alkhateeb <
>> slidingfilaments@gmail.com> wrote:
>>
>>> Hi Jacques,
>>>
>>> I could be mistaken, but looking at the patch I did not see anything
>>> related to x-ua-compatible. Am I looking at the right JIRA 6766? It
>>> only has one attachment that sets the Cache-Control flags?
>>>
>>> On Fri, May 18, 2018 at 4:47 PM, Jacques Le Roux
>>> <ja...@les7arts.com> wrote:
>>>>
>>>> Hi,
>>>>
>>>> At https://issues.apache.org/jira/browse/OFBIZ-6766 I have attached a
>>>
>>> minor
>>>>
>>>> OFBIZ-6766-UtilHttp.java.patch for updating our HTTP headers
>>>>
>>>> I think it's OK to commit, but before I'd like to know if we really want
>>>
>>> to
>>>>
>>>> keep x-ua-compatible in several *.html files.
>>>>
>>>> https://stackoverflow.com/questions/26346917/why-use-x-
>>>
>>> ua-compatible-ie-edge-anymore
>>>>
>>>> I ever wonder who uses Windows nowadays (kidding ;))
>>>>
>>>> Jacques
>>>>
>
Re: Update our HTTP headers
Posted by Jacques Le Roux <ja...@les7arts.com>.
Hi Deepak,
Right, I missed that apart in helpdoc the others are under build/reports/tests/test and under jQuery
So nothing to worry about, I'll commit the patch in one week
Jacques
Le 20/05/2018 à 10:16, Deepak Dixit a écrit :
> Hi Taher,
>
> x-ua-compatible used in html file directly and I think its used only in
> helpdoc html content,
>
> Jacques Comments from task:
>>> I have attached the OFBIZ-6766-UtilHttp.java.patch and will ask about
> x-ua-compatible on dev ML before committing
>
>
>
>
> Thanks & Regards
> --
> Deepak Dixit
> www.hotwax.co
>
> On Sat, May 19, 2018 at 11:50 PM, Taher Alkhateeb <
> slidingfilaments@gmail.com> wrote:
>
>> Hi Jacques,
>>
>> I could be mistaken, but looking at the patch I did not see anything
>> related to x-ua-compatible. Am I looking at the right JIRA 6766? It
>> only has one attachment that sets the Cache-Control flags?
>>
>> On Fri, May 18, 2018 at 4:47 PM, Jacques Le Roux
>> <ja...@les7arts.com> wrote:
>>> Hi,
>>>
>>> At https://issues.apache.org/jira/browse/OFBIZ-6766 I have attached a
>> minor
>>> OFBIZ-6766-UtilHttp.java.patch for updating our HTTP headers
>>>
>>> I think it's OK to commit, but before I'd like to know if we really want
>> to
>>> keep x-ua-compatible in several *.html files.
>>>
>>> https://stackoverflow.com/questions/26346917/why-use-x-
>> ua-compatible-ie-edge-anymore
>>> I ever wonder who uses Windows nowadays (kidding ;))
>>>
>>> Jacques
>>>
Re: Update our HTTP headers
Posted by Deepak Dixit <de...@hotwaxsystems.com>.
Hi Taher,
x-ua-compatible used in html file directly and I think its used only in
helpdoc html content,
Jacques Comments from task:
>>I have attached the OFBIZ-6766-UtilHttp.java.patch and will ask about
x-ua-compatible on dev ML before committing
Thanks & Regards
--
Deepak Dixit
www.hotwax.co
On Sat, May 19, 2018 at 11:50 PM, Taher Alkhateeb <
slidingfilaments@gmail.com> wrote:
> Hi Jacques,
>
> I could be mistaken, but looking at the patch I did not see anything
> related to x-ua-compatible. Am I looking at the right JIRA 6766? It
> only has one attachment that sets the Cache-Control flags?
>
> On Fri, May 18, 2018 at 4:47 PM, Jacques Le Roux
> <ja...@les7arts.com> wrote:
> > Hi,
> >
> > At https://issues.apache.org/jira/browse/OFBIZ-6766 I have attached a
> minor
> > OFBIZ-6766-UtilHttp.java.patch for updating our HTTP headers
> >
> > I think it's OK to commit, but before I'd like to know if we really want
> to
> > keep x-ua-compatible in several *.html files.
> >
> > https://stackoverflow.com/questions/26346917/why-use-x-
> ua-compatible-ie-edge-anymore
> >
> > I ever wonder who uses Windows nowadays (kidding ;))
> >
> > Jacques
> >
>
Re: Update our HTTP headers
Posted by Taher Alkhateeb <sl...@gmail.com>.
Hi Jacques,
I could be mistaken, but looking at the patch I did not see anything
related to x-ua-compatible. Am I looking at the right JIRA 6766? It
only has one attachment that sets the Cache-Control flags?
On Fri, May 18, 2018 at 4:47 PM, Jacques Le Roux
<ja...@les7arts.com> wrote:
> Hi,
>
> At https://issues.apache.org/jira/browse/OFBIZ-6766 I have attached a minor
> OFBIZ-6766-UtilHttp.java.patch for updating our HTTP headers
>
> I think it's OK to commit, but before I'd like to know if we really want to
> keep x-ua-compatible in several *.html files.
>
> https://stackoverflow.com/questions/26346917/why-use-x-ua-compatible-ie-edge-anymore
>
> I ever wonder who uses Windows nowadays (kidding ;))
>
> Jacques
>
Re: Update our HTTP headers
Posted by Jacques Le Roux <ja...@les7arts.com>.
Committed at r1832128
Jacques
Le 18/05/2018 à 15:47, Jacques Le Roux a écrit :
> Hi,
>
> At https://issues.apache.org/jira/browse/OFBIZ-6766 I have attached a minor OFBIZ-6766-UtilHttp.java.patch for updating our HTTP headers
>
> I think it's OK to commit, but before I'd like to know if we really want to keep x-ua-compatible in several *.html files.
>
> https://stackoverflow.com/questions/26346917/why-use-x-ua-compatible-ie-edge-anymore
>
> I ever wonder who uses Windows nowadays (kidding ;))
>
> Jacques
>
>