Merge pull request #7890 from ipfs/fix/remove-clear-site-data

Stebalien · web-flow · commit 4cdb67f37daa · 2021-03-31T16:24:24.000-07:00
fix(gw): remove use of Clear-Site-Data in subdomain router
diff --git a/core/corehttp/hostname.go b/core/corehttp/hostname.go
@@ -97,15 +97,6 @@ func HostnameOption() ServeOption {
 							return
 						}
 						if newURL != "" {
-							// Just to be sure single Origin can't be abused in
-							// web browsers that ignored the redirect for some
-							// reason, Clear-Site-Data header clears browsing
-							// data (cookies, storage etc) associated with
-							// hostname's root Origin
-							// Note: we can't use "*" due to bug in Chromium:
-							// https://bugs.chromium.org/p/chromium/issues/detail?id=898503
-							w.Header().Set("Clear-Site-Data", "\"cookies\", \"storage\"")
-
 							// Set "Location" header with redirect destination.
 							// It is ignored by curl in default mode, but will
 							// be respected by user agents that follow
diff --git a/docs/config.md b/docs/config.md
@@ -660,7 +660,6 @@ between content roots.
         }
     }
     ```
-<!-- **(not implemented yet)** due to the lack of Origin isolation, cookies and storage on `Paths` will be disabled by [Clear-Site-Data](https://github.com/ipfs/in-web-browsers/issues/157) header -->
 
 Default: `false`
 
diff --git a/test/sharness/t0114-gateway-subdomains.sh b/test/sharness/t0114-gateway-subdomains.sh
@@ -181,13 +181,6 @@ test_localhost_gateway_response_should_contain \
   "http://localhost:$GWAY_PORT/ipfs/$DIR_CID/" \
   "Location: http://$DIR_CID.ipfs.localhost:$GWAY_PORT/"
 
-# Responses to the root domain of subdomain gateway hostname should Clear-Site-Data
-# https://github.com/ipfs/go-ipfs/issues/6975#issuecomment-597472477
-test_localhost_gateway_response_should_contain \
-  "request for localhost/ipfs/{CIDv1} returns Clear-Site-Data header to purge Origin cookies and storage" \
-  "http://localhost:$GWAY_PORT/ipfs/$CIDv1" \
-  'Clear-Site-Data: \"cookies\", \"storage\"'
-
 # We return body with HTTP 301 so existing cli scripts that use path-based
 # gateway do not break (curl doesn't auto-redirect without passing -L; wget
 # does not span across hostnames by default)

Original file line number	Diff line number	Diff line change
`@@ -660,7 +660,6 @@ between content roots.`
`660`	`660`	`}`
`661`	`661`	`}`
`662`	`662`	```
`663`		-<!-- (not implemented yet) due to the lack of Origin isolation, cookies and storage on `Paths` will be disabled by [Clear-Site-Data](https://github.com/ipfs/in-web-browsers/issues/157) header -->
`664`	`663`
`665`	`664`	Default: `false`
`666`	`665`