Add support for client hints prefixed with Sec-CH-; Remove Viewport-Width header support

CHANGELOG.md

@@ -1,6 +1,11 @@
 # Changelog
 
 ## [Unreleased]
+### Add
+- Add support for `Sec-CH-DPR` and `Sec-CH-Width` client hints.
+
+### Remove
+- Remove suport for `Viewport-Width` client hint.
 
 ## [3.15.0] - 2023-04-10
 ### Add

docs/configuration.md

@@ -249,11 +249,11 @@ Check out the [Best format](best_format.md) guide to learn more.
 
 ## Client Hints support
 
-imgproxy can use the `Width`, `Viewport-Width` or `DPR` HTTP headers to determine default width and DPR options using Client Hints. This feature is disabled by default and can be enabled by the following option:
+imgproxy can use the `Width` and `DPR` HTTP headers to determine default width and DPR options using Client Hints. This feature is disabled by default and can be enabled by the following option:
 
 * `IMGPROXY_ENABLE_CLIENT_HINTS`: enables Client Hints support to determine default width and DPR options. Read more details [here](https://developers.google.com/web/updates/2015/09/automating-resource-selection-with-client-hints) about Client Hints.
 
-**⚠️ Warning:** Headers cannot be signed. This means that an attacker can bypass your CDN cache by changing the `Width`, `Viewport-Width` or `DPR` HTTP headers. Keep this in mind when configuring your production caching setup.
+**⚠️ Warning:** Headers cannot be signed. This means that an attacker can bypass your CDN cache by changing the `Width` or `DPR` HTTP headers. Keep this in mind when configuring your production caching setup.
 
 ## Video thumbnails
 

options/processing_options.go

@@ -1087,17 +1087,21 @@ func defaultProcessingOptions(headers http.Header) (*ProcessingOptions, error) {
 	}
 
 	if config.EnableClientHints {
-		if headerDPR := headers.Get("DPR"); len(headerDPR) > 0 {
+		headerDPR := headers.Get("Sec-CH-DPR")
+		if len(headerDPR) == 0 {
+			headerDPR = headers.Get("DPR")
+		}
+		if len(headerDPR) > 0 {
 			if dpr, err := strconv.ParseFloat(headerDPR, 64); err == nil && (dpr > 0 && dpr <= maxClientHintDPR) {
 				po.Dpr = dpr
 			}
 		}
-		if headerViewportWidth := headers.Get("Viewport-Width"); len(headerViewportWidth) > 0 {
-			if vw, err := strconv.Atoi(headerViewportWidth); err == nil {
-				po.Width = vw
-			}
+
+		headerWidth := headers.Get("Sec-CH-Width")
+		if len(headerWidth) == 0 {
+			headerWidth = headers.Get("Width")
 		}
-		if headerWidth := headers.Get("Width"); len(headerWidth) > 0 {
+		if len(headerWidth) > 0 {
 			if w, err := strconv.Atoi(headerWidth); err == nil {
 				po.Width = imath.Scale(w, 1/po.Dpr)
 			}

options/processing_options_test.go

@@ -439,40 +439,6 @@ func (s *ProcessingOptionsTestSuite) TestParsePathWidthHeaderRedefine() {
 	require.Equal(s.T(), 150, po.Width)
 }
 
-func (s *ProcessingOptionsTestSuite) TestParsePathViewportWidthHeader() {
-	config.EnableClientHints = true
-
-	path := "/plain/http://images.dev/lorem/ipsum.jpg@png"
-	headers := http.Header{"Viewport-Width": []string{"100"}}
-	po, _, err := ParsePath(path, headers)
-
-	require.Nil(s.T(), err)
-
-	require.Equal(s.T(), 100, po.Width)
-}
-
-func (s *ProcessingOptionsTestSuite) TestParsePathViewportWidthHeaderDisabled() {
-	path := "/plain/http://images.dev/lorem/ipsum.jpg@png"
-	headers := http.Header{"Viewport-Width": []string{"100"}}
-	po, _, err := ParsePath(path, headers)
-
-	require.Nil(s.T(), err)
-
-	require.Equal(s.T(), 0, po.Width)
-}
-
-func (s *ProcessingOptionsTestSuite) TestParsePathViewportWidthHeaderRedefine() {
-	config.EnableClientHints = true
-
-	path := "/width:150/plain/http://images.dev/lorem/ipsum.jpg@png"
-	headers := http.Header{"Viewport-Width": []string{"100"}}
-	po, _, err := ParsePath(path, headers)
-
-	require.Nil(s.T(), err)
-
-	require.Equal(s.T(), 150, po.Width)
-}
-
 func (s *ProcessingOptionsTestSuite) TestParsePathDprHeader() {
 	config.EnableClientHints = true
 

processing_handler.go

@@ -49,7 +49,7 @@ func initProcessingHandler() {
 	}
 
 	if config.EnableClientHints {
-		vary = append(vary, "DPR", "Viewport-Width", "Width")
+		vary = append(vary, "Sec-CH-DPR", "DPR", "Sec-CH-Width", "Width")
 	}
 
 	headerVaryValue = strings.Join(vary, ", ")