Allow for fetch to not include __amp_source_origin so resources can be cached across pages#6637
Allow for fetch to not include __amp_source_origin so resources can be cached across pages#6637lannka merged 10 commits intoampproject:masterfrom google:a4a_fetch_wo_origin
Conversation
extensions/amp-a4a/0.1/amp-a4a.js
Outdated
| if (url) { | ||
| return xhrFor(this.win).fetchJson(url, {mode: 'cors', method: 'GET'}) | ||
| return xhrFor(this.win).fetchJson( | ||
| url, {mode: 'cors', method: 'GET', disableAmpSourceOrigin: true}) |
There was a problem hiding this comment.
Reformat object literal to multiple lines. Should this be also credentials: 'omit'?
extensions/amp-a4a/0.1/amp-a4a.js
Outdated
| if (url) { | ||
| return xhrFor(this.win).fetchJson(url, {mode: 'cors', method: 'GET'}) | ||
| return xhrFor(this.win).fetchJson( | ||
| url, {mode: 'cors', method: 'GET', disableAmpSourceOrigin: true}) |
There was a problem hiding this comment.
Add docs for why the disableAmpSourceOrigin is set.
src/service/xhr-impl.js
Outdated
| input = this.getCorsUrl(this.win, input); | ||
| fetchAmpCors_(input, init = {}) { | ||
| // Do not append __amp_source_origin | ||
| if (!(!init.requireAmpResponseSourceOrigin && |
There was a problem hiding this comment.
Wow, please clean up the boolean logic a little bit :)
There was a problem hiding this comment.
Sorry about that! Done
src/service/xhr-impl.js
Outdated
| @@ -36,6 +39,7 @@ import {isArray, isObject, isFormData} from '../types'; | |||
| * headers: (!Object|undefined), | |||
| * method: (string|undefined), | |||
| * requireAmpResponseSourceOrigin: (boolean|undefined) | |||
There was a problem hiding this comment.
Please make requireAmpResponseSourceOrigin explicit on the caller side.
|
@cramforce PTAL |
| mode: 'cors', | ||
| method: 'GET', | ||
| requireAmpResponseSourceOrigin: false, | ||
| disableAmpSourceOrigin: true, |
There was a problem hiding this comment.
should we call it ampCors: false?
Overall, disabling AMP CORS is the purpose, which requires 2 things:
- Not sending the AMP_SOURCE_ORIGIN.
- Not check response source origin.
There was a problem hiding this comment.
I was trying to be as explicit as possible thus the word "disable". Technically this is still a CORS request, it just doesn't include the source origin parameter so ampCors would seem somewhat confusing to me. Will defer to @cramforce
There was a problem hiding this comment.
ampCors is more than CORS. The extra things it does are the 2 I listed. And I don't see use case for:
requireAmpResponseSourceOrigin: true,
disableAmpSourceOrigin: true,
On the other side, requireAmpResponseSourceOrigin only exists for backward compatibility. I hope some day we can get rid of it. So any new changes should not really depend on it .
There was a problem hiding this comment.
Modified to use assert as Malte suggested
There was a problem hiding this comment.
I still think these 2 boolean names are confusing.
We should have the new boolean as ampCors, which defaults to true. In case it's false, it will override requireAmpResponseSourceOrigin to false.
As I mentioned, the requireAmpResponseSourceOrigin boolean exists only for backward compatibility. No new code should use it as false. They should instead go with ampCors: false.
test/functional/test-xhr.js
Outdated
| }); | ||
|
|
||
| it('should not include __amp_source_origin if disableAmpSourceOrigin ' + | ||
| 'true & requireAmpResponseSourceOrigin true', () => { |
There was a problem hiding this comment.
Again this is about being explicit. Should somewhat inadvertently specify both but in conflict, the requireAmpResponseSourceOrigin should take precedent (which this verifies).
There was a problem hiding this comment.
I think that should just be covered by dev().assert
cramforce
left a comment
There was a problem hiding this comment.
Lets roll with this. One comment.
test/functional/test-xhr.js
Outdated
| }); | ||
|
|
||
| it('should not include __amp_source_origin if disableAmpSourceOrigin ' + | ||
| 'true & requireAmpResponseSourceOrigin true', () => { |
There was a problem hiding this comment.
I think that should just be covered by dev().assert
|
@lannka @cramforce please merge. Thanks |
|
@lannka PTAL and merge if ok |
|
@lannka PTAL. Changed to use ampCors. Please merge if travis is green. Thx |
src/service/xhr-impl.js
Outdated
| // (requireAmpResponseSourceOrigin overrides disable). | ||
| dev().assert( | ||
| !(init.disableAmpSourceOrigin && init.requireAmpResponseSourceOrigin), | ||
| !(init.ampCors && init.requireAmpResponseSourceOrigin), |
There was a problem hiding this comment.
in case ampCors == false, let's just override the value of requireAmpResponseSourceOrigin to false.
|
@lannka PTAL, changed so ampCors = false forces requireAmpResponseSourceOrigin to false |
…e cached across pages (ampproject#6637) * Initial commit * Fix merge issues * PR responses * PR review * PR responses * PR responses
…e cached across pages (ampproject#6637) * Initial commit * Fix merge issues * PR responses * PR review * PR responses * PR responses
…e cached across pages (ampproject#6637) * Initial commit * Fix merge issues * PR responses * PR review * PR responses * PR responses
|
Is |
|
@dandv No its not. |
|
Hi, |
Issue #6494: ensure that __amp_source_origin is not included on fetchJSON CORS requests for AMP validation public key fetches so that they can be cached across publisher pages.