You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@pagespeed.apache.org by GitBox <gi...@apache.org> on 2020/04/15 20:07:54 UTC
[GitHub] [incubator-pagespeed-mod] echu2013 opened a new issue #1988:
x-content-type-options nosniff duplicated
echu2013 opened a new issue #1988: x-content-type-options nosniff duplicated
URL: https://github.com/apache/incubator-pagespeed-mod/issues/1988
In my scenario, where I choose the following Apache configuration setting:
`Header set X-Content-Type-Options "nosniff"`
Te following happens with, for example, Images or CSS rewritten by **mod_pagespeed**:
Disabling with `ModPageSpeed Off` reverts the behaviour.
Looking at source code, found the following:
https://github.com/apache/incubator-pagespeed-mod/blob/409bd76fd6eafc4cf1c414e679f3e912447a6a31/pagespeed/apache/apache_fetch.cc#L121
Which I suspect that it should be this way:
` // Replace, as in "add if not already present". The only valid value for this
// header is "nosniff", so we don't have to worry about clobbering existing
// usage.
response_headers()->Replace("X-Content-Type-Options", "nosniff");`
In short: Replace instead of Add (which duplicates the header if previously added),
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-pagespeed-mod] Lofesa commented on issue #1988:
x-content-type-options nosniff duplicated
Posted by GitBox <gi...@apache.org>.
Lofesa commented on issue #1988: x-content-type-options nosniff duplicated
URL: https://github.com/apache/incubator-pagespeed-mod/issues/1988#issuecomment-614262042
As a workaround you can set the header conditionaly.
See https://stackoverflow.com/questions/42791279/how-to-set-apache-conditional-header-based-on-url
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-pagespeed-mod] echu2013 commented on issue #1988:
x-content-type-options nosniff duplicated
Posted by GitBox <gi...@apache.org>.
echu2013 commented on issue #1988: x-content-type-options nosniff duplicated
URL: https://github.com/apache/incubator-pagespeed-mod/issues/1988#issuecomment-614709630
Rewriten content, does not suffer from duplicated headers, see:
I think this is why:
https://github.com/apache/incubator-pagespeed-mod/blob/409bd76fd6eafc4cf1c414e679f3e912447a6a31/net/instaweb/rewriter/rewrite_context.cc#L2820
**NOTE Replace instead of Add**
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-pagespeed-mod] echu2013 commented on issue #1988:
x-content-type-options nosniff duplicated
Posted by GitBox <gi...@apache.org>.
echu2013 commented on issue #1988: x-content-type-options nosniff duplicated
URL: https://github.com/apache/incubator-pagespeed-mod/issues/1988#issuecomment-614338423
Sorry @Lofesa , but that does not apply for me .
I also tried to set header if empty without success, page speed applies after any set header directive
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-pagespeed-mod] echu2013 commented on issue #1988:
x-content-type-options nosniff duplicated
Posted by GitBox <gi...@apache.org>.
echu2013 commented on issue #1988: x-content-type-options nosniff duplicated
URL: https://github.com/apache/incubator-pagespeed-mod/issues/1988#issuecomment-614954115
> What happens if you don´t add the header in apache config?
It just appears once, as desired. But other stuff not processed by mod_pagespeed then lacks of this header which is not my intended behaviour
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-pagespeed-mod] echu2013 commented on issue #1988:
x-content-type-options nosniff duplicated
Posted by GitBox <gi...@apache.org>.
echu2013 commented on issue #1988: x-content-type-options nosniff duplicated
URL: https://github.com/apache/incubator-pagespeed-mod/issues/1988#issuecomment-614695782
> Hi
> But pagespeed applies only in rewrited resources aka optimized. When a resource is rewrited by pagespeed, the url contain the word "pagespeed" so you need t put the header only in resources that don´t have pagespeed text in it
I have CSS that are minified (and name is not rewritten) and also some very tiny PNGs that aren´t rewritten but the header is added.
See an example:
**The second I disable ModPageSpeed, the header ceases to be duplicated.**
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-pagespeed-mod] Lofesa edited a comment on issue #1988:
x-content-type-options nosniff duplicated
Posted by GitBox <gi...@apache.org>.
Lofesa edited a comment on issue #1988: x-content-type-options nosniff duplicated
URL: https://github.com/apache/incubator-pagespeed-mod/issues/1988#issuecomment-615333747
Stuff not processed by pagespeed have any common characterisc?
If they have a common characterisc (from the same folder, some file type...) maybe you can add the header selectively to these resources.
I found in the code that x-content-type header is added in 3 files:
https://github.com/apache/incubator-pagespeed-mod/blob/b4bf44cc56d8bbf17494c540dfb6ef20dfcf5073/pagespeed/apache/instaweb_handler.cc#L623
https://github.com/apache/incubator-pagespeed-mod/blob/b4bf44cc56d8bbf17494c540dfb6ef20dfcf5073/net/instaweb/rewriter/server_context.cc#L1104
https://github.com/apache/incubator-pagespeed-mod/blob/b4bf44cc56d8bbf17494c540dfb6ef20dfcf5073/pagespeed/apache/apache_fetch.cc#L121
In the server_context.cc file seems not to be related.
I don´t have any apache environtment to test if changing these to header->Replace can break any thing.
Maybe @oschaaf or @jmarantz can have some clue.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-pagespeed-mod] Lofesa commented on issue #1988:
x-content-type-options nosniff duplicated
Posted by GitBox <gi...@apache.org>.
Lofesa commented on issue #1988: x-content-type-options nosniff duplicated
URL: https://github.com/apache/incubator-pagespeed-mod/issues/1988#issuecomment-614529532
Hi
But pagespeed applies only in rewrited resources aka optimized. When a resource is rewrited by pagespeed, the url contain the word "pagespeed" so you need t put the header only in resources that don´t have pagespeed text in it
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-pagespeed-mod] Lofesa commented on issue #1988:
x-content-type-options nosniff duplicated
Posted by GitBox <gi...@apache.org>.
Lofesa commented on issue #1988: x-content-type-options nosniff duplicated
URL: https://github.com/apache/incubator-pagespeed-mod/issues/1988#issuecomment-614855668
Yes, I know that rewrited resources have only 1 header, so you need to add it to the no rewrited ones.
What happens with this css? Is a , half optimized resource. With half optimized I will say: some optimizations are applied but the url is not rewrited. The optimizations come from the IPRO, an in-fligth optimizer, but IPRO don´t add these header.
Maybe is in a transient state denoted by the s-max-age=10 in the cache-control header, this make the resource can´t be stored in intermediate caches more than 10 sec.
This file can´t change to a rewrited version?
If this file can´t change to a rewrited version, some thing is wrong.
Have images in this file? if this file have images in it, if a webp capable browser hit it, these images are converted to webp but if a non webp capable hit it after then the file get not optimized and the whole optimization process will start again to set jpg optimizations.
The headers-Replace first do a RemoveAll and then an Add, so this 2nd header mus come from an Add not from a Replace.
The workaround must include a thest for the response header don´t have the PSA string and the url
don´t have the pagespeed string.
What happens if you don´t add the header in apache config?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [incubator-pagespeed-mod] Lofesa commented on issue #1988:
x-content-type-options nosniff duplicated
Posted by GitBox <gi...@apache.org>.
Lofesa commented on issue #1988: x-content-type-options nosniff duplicated
URL: https://github.com/apache/incubator-pagespeed-mod/issues/1988#issuecomment-615333747
Stuff not processed by pagespeed have any common characterisc?
If they have a common characterisc (from the same folder, some file type...) maybe you can add the header selectively to these resources.
I found in the code that x-content-type header is added in 3 files:
https://github.com/apache/incubator-pagespeed-mod/blob/b4bf44cc56d8bbf17494c540dfb6ef20dfcf5073/pagespeed/apache/instaweb_handler.cc#L623
https://github.com/apache/incubator-pagespeed-mod/blob/b4bf44cc56d8bbf17494c540dfb6ef20dfcf5073/net/instaweb/rewriter/server_context.cc#L1104
https://github.com/apache/incubator-pagespeed-mod/blob/b4bf44cc56d8bbf17494c540dfb6ef20dfcf5073/pagespeed/apache/apache_fetch.cc#L121
In the server_context.cc file seems not to be related.
I don´t have any apache environtment to test is changing these to header->Replace can break any thing.
Maybe @oschaaf or @jmarantz can have some clue.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services