go/imgproxy
1
0
Fork 0
mirror of https://github.com/imgproxy/imgproxy.git synced 2025-06-17 22:37:33 +02:00
Code Releases Activity

Add support for client hints prefixed with Sec-CH-; Remove Viewport-Width header support

Browse Source
This commit is contained in:
DarthSim
2023-04-11 21:08:39 +03:00
parent a2efeb55be
commit b92de43cf3
5 changed files with 18 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGELOG.md
View File

@ -1,6 +1,11 @@
# Changelog # Changelog
## [Unreleased] ## [Unreleased]
### Add
- Add support for `Sec-CH-DPR` and `Sec-CH-Width` client hints.
### Remove
- Remove suport for `Viewport-Width` client hint.
## [3.15.0] - 2023-04-10 ## [3.15.0] - 2023-04-10
### Add ### Add

4
docs/configuration.md
View File

@ -249,11 +249,11 @@ Check out the [Best format](best_format.md) guide to learn more.
## Client Hints support ## Client Hints support
imgproxy can use the `Width`, `Viewport-Width` or `DPR` HTTP headers to determine default width and DPR options using Client Hints. This feature is disabled by default and can be enabled by the following option: imgproxy can use the `Width` and `DPR` HTTP headers to determine default width and DPR options using Client Hints. This feature is disabled by default and can be enabled by the following option:
* `IMGPROXY_ENABLE_CLIENT_HINTS`: enables Client Hints support to determine default width and DPR options. Read more details [here](https://developers.google.com/web/updates/2015/09/automating-resource-selection-with-client-hints) about Client Hints. * `IMGPROXY_ENABLE_CLIENT_HINTS`: enables Client Hints support to determine default width and DPR options. Read more details [here](https://developers.google.com/web/updates/2015/09/automating-resource-selection-with-client-hints) about Client Hints.
**⚠️ Warning:** Headers cannot be signed. This means that an attacker can bypass your CDN cache by changing the `Width`, `Viewport-Width` or `DPR` HTTP headers. Keep this in mind when configuring your production caching setup. **⚠️ Warning:** Headers cannot be signed. This means that an attacker can bypass your CDN cache by changing the `Width` or `DPR` HTTP headers. Keep this in mind when configuring your production caching setup.
## Video thumbnails ## Video thumbnails

16
options/processing_options.go
View File

@ -1087,17 +1087,21 @@ func defaultProcessingOptions(headers http.Header) (*ProcessingOptions, error) {
} }
if config.EnableClientHints { if config.EnableClientHints {
if headerDPR := headers.Get("DPR"); len(headerDPR) > 0 { headerDPR := headers.Get("Sec-CH-DPR")
if len(headerDPR) == 0 {
headerDPR = headers.Get("DPR")
}
if len(headerDPR) > 0 {
if dpr, err := strconv.ParseFloat(headerDPR, 64); err == nil && (dpr > 0 && dpr <= maxClientHintDPR) { if dpr, err := strconv.ParseFloat(headerDPR, 64); err == nil && (dpr > 0 && dpr <= maxClientHintDPR) {
po.Dpr = dpr po.Dpr = dpr
} }
} }
if headerViewportWidth := headers.Get("Viewport-Width"); len(headerViewportWidth) > 0 {
if vw, err := strconv.Atoi(headerViewportWidth); err == nil { headerWidth := headers.Get("Sec-CH-Width")
po.Width = vw if len(headerWidth) == 0 {
headerWidth = headers.Get("Width")
} }
} if len(headerWidth) > 0 {
if headerWidth := headers.Get("Width"); len(headerWidth) > 0 {
if w, err := strconv.Atoi(headerWidth); err == nil { if w, err := strconv.Atoi(headerWidth); err == nil {
po.Width = imath.Scale(w, 1/po.Dpr) po.Width = imath.Scale(w, 1/po.Dpr)
} }

34
options/processing_options_test.go
View File

@ -439,40 +439,6 @@ func (s *ProcessingOptionsTestSuite) TestParsePathWidthHeaderRedefine() {
require.Equal(s.T(), 150, po.Width) require.Equal(s.T(), 150, po.Width)
} }
func (s *ProcessingOptionsTestSuite) TestParsePathViewportWidthHeader() {
config.EnableClientHints = true
path := "/plain/http://images.dev/lorem/ipsum.jpg@png"
headers := http.Header{"Viewport-Width": []string{"100"}}
po, _, err := ParsePath(path, headers)
require.Nil(s.T(), err)
require.Equal(s.T(), 100, po.Width)
}
func (s *ProcessingOptionsTestSuite) TestParsePathViewportWidthHeaderDisabled() {
path := "/plain/http://images.dev/lorem/ipsum.jpg@png"
headers := http.Header{"Viewport-Width": []string{"100"}}
po, _, err := ParsePath(path, headers)
require.Nil(s.T(), err)
require.Equal(s.T(), 0, po.Width)
}
func (s *ProcessingOptionsTestSuite) TestParsePathViewportWidthHeaderRedefine() {
config.EnableClientHints = true
path := "/width:150/plain/http://images.dev/lorem/ipsum.jpg@png"
headers := http.Header{"Viewport-Width": []string{"100"}}
po, _, err := ParsePath(path, headers)
require.Nil(s.T(), err)
require.Equal(s.T(), 150, po.Width)
}
func (s *ProcessingOptionsTestSuite) TestParsePathDprHeader() { func (s *ProcessingOptionsTestSuite) TestParsePathDprHeader() {
config.EnableClientHints = true config.EnableClientHints = true

2
processing_handler.go
View File

@ -49,7 +49,7 @@ func initProcessingHandler() {
} }
if config.EnableClientHints { if config.EnableClientHints {
vary = append(vary, "DPR", "Viewport-Width", "Width") vary = append(vary, "Sec-CH-DPR", "DPR", "Sec-CH-Width", "Width")
} }
headerVaryValue = strings.Join(vary, ", ") headerVaryValue = strings.Join(vary, ", ")