-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: now WAF bypass token header is forwarded #178
Conversation
79adb6b
to
6d8bb70
Compare
Merging #179 seems to have fixed it. |
I'm going to take it for a test drive by linking it to the next-runtime and then link the next-runtime in a test project. 😅 |
04a1227
to
aef69e6
Compare
0942052
to
24d2735
Compare
@@ -51,7 +55,7 @@ export function createIPXHandler ({ | |||
responseHeaders, | |||
localPrefix, | |||
...opts | |||
}: IPXHandlerOptions = {}) { | |||
}: IPXHandlerOptions = {}, loadSourceImage = defaultLoadSourceImage) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this just to allow testing?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, that was the main reason, but we were already importing loadSourceImage
, so why not compose instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good! Presumably it's not a risk to leak the existence of the token
I don't think so. Thoughts on this @merlyn-at-netlify? |
Co-authored-by: Michal Piechowiak <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks harmless to me. No added security concern from forwarding this header.
Fixes an issue when the web application firewall (WAF) is active.
Now if the source image being loaded is a local image, the
X-Nf-Waf-Bypass-Token
header is passed so that the image on the origin server can be loaded for transformation.There is nothing to test in this PR aside from ensuring the tests are all green.
Closes https://github.com/netlify/pod-ecosystem-frameworks/issues/592