Setting browser cache expirations for file attachments - xpages

On a XPage, when I want to display an image which is stored as a file attachment of a NotesDocument, I define the image source as follows: [UNID_OF_FILE]/$FILE/[NAME_OF_ATTACHMENT].
Whenever a page contains this kind of source, a HTTP request is performed. Since there is no "Expires" date defined in the response headers, the HTTP status is (in best case) "304 Not Modified", which means that the attachment is not again loaded from the server. However, this is still a HTTP request that increases the page's loading time. Is there a way to set the expiration date for these responses to get a HTTP status "200 OK (Cache)" which does not perform a HTTP request and directly loads the image ressource from the cache?
PS: I know I could create a "helper" XPage (for downloading this file attachment) which manually sets the response headers with facesContext.getExternalContext().getResponse().setHeader(...) etc. Yet this would mean that I would have to largely rewrite my XPages application. I hope that there are some server or database settings that allow to directly set the corresponding response headers.

You can add a Web Site Rule that sets the Expires header (and other HTTP headers).
Here's an example of a web site rule that sets the Expires header to 14 days for all files of type jpg:

Related

Express JS redirect with headers

Using express JS I'm trying to add some headers to the redirection I'm returning
However, everything I tried just work for the response headers and not for the request headers of the redirection. I.E., when inspecting it with the developer tools I can see the response headers but when the next call is made, I can not see the request headers
req.headers['x-custom-header'] = 'value'
res.setHeader('x-custom-header', 'value')
res.redirect('example.com')
Does anybody could explain how the response and request headers work on ExpressJS?
A redirect just does a redirect. It tells the browser to go to that new location with standard, non-custom headers. You cannot set custom headers on the next request after the redirect. The browser simply doesn't do that.
The usual way to pass some type of parameters in a redirect is to put them in a query string for the redirect URL or, in some cases, to put them in a cookie. In both cases of query string parameters and data in a cookie, those will be available to your server when the browser sends you the request for the redirected URL.
It also may be worth revisiting why you're redirecting in the first place and perhaps there's a different flow of data/urls that doesn't need to redirect in the first place. We'd have to know a lot more about what this actual operation is trying to accomplish to make suggestions there.
If your request is being processed by an Ajax call, then you can program the code receiving the results of the Ajax call to do anything you want it to do (including add custom headers), but if it's the browser processing the redirect and changing the page URL to load a new page, it won't pay any attention to custom headers on the redirect response.
Can anybody explain how the response and request headers work on ExpressJS?
Express is doing exactly what you told it to do. It's attaching the custom headers to the response that goes back to the browser. It's the browser that does not attach those same headers to the next request to the redirected URL. So, this isn't an Express thing, it's a browser thing.

access gitlab files through ajax request

I would like to access the raw files in a repository of mine that is on gitlab through an ajax request. However, it's not working, I'm wondering if I have to setup my project accordingly or something. Obviously my project is public. This is the error message I get :
No 'Access-Control-Allow-Origin' header is present on the requested resource.
Which means it's on their end.
To understand Access-Control-Allow-Origin header, I highly recommend How does Access-Control-Allow-Origin header work?
When Site A tries to fetch content from Site B, Site B can send an
Access-Control-Allow-Origin response header to tell the browser that
the content of this page is accessible to certain origins. (An origin
is a domain, plus a scheme and port number.) By default, Site B's
pages are not accessible to any other origin; using the
Access-Control-Allow-Origin header opens a door for cross-origin
access by specific requesting origins.
If your GitLab is hosted on gitlab.com, I don't see a way to add your domain to response header.
The easiest solution is wrapping XMLHttpRequests to GitLab in requests to your application - and on the backend you will simply fetch and return data. For example, you won't send a XML request to https://gitlab.com/pdaw/test/raw/master/README.md, but tohttps://my.app.com/fetch-file?file=pdaw/test/raw/master/README.md. On the backend of the fetch-file action you will fetch and return raw data from https://gitlab.com/pdaw/test/raw/master/README.md

Should Content-Security-Policy header be in every server response or only in text/html?

Should Content-Security-Policy header be in every server response (images, CSS, JS, ...) or only in text/html (.html or HTML output of PHP script)?
Since CSP is a client side protection and only processed by browsers for HTML documents (whether static or dynamically created by PHP or such like) there is no need to have this header on anything but text/html documents.
In fact, as CSP policies can be quite large, there is bandwidth savings to be had by only serving it in HTML document responses.
The one exception at present to this is web workers. However if you are not using them then you can ignore them for now.
Note the current CSP draft spec says in the goals section that CSP is used to give control over:
The resources which can be requested (and subsequently embedded or
executed) on behalf of a specific Document or Worker

How can I check if Access-Control-Allow-Origin is enabled for my domain?

If I have configured Access-Control-Allow-Origin: http://mydomain correctly, should it be listed in the response headers if I view them using the web developer plugin? I don't see it. Should it be there?
I have tried viewing the response headers after submitting my post request, and just calling the page.
Background
I need to transfer a couple of values from mydomain to receivingdomain via XMLHttpRequest POST request and am trying to troubleshoot
XMLHttpRequest Page1.asp cannot load https://receivingdomain. No Access-Control-Allow-Origin header is present on the requested resource
If I turn on the Allow-Control-Allow-Extension plug-in my post requests work correctly. However, when this plug-in is disabled, my post requests are being received ok (the data is inserted into the database) - I'm just not getting any result back from the receiving server.

How do I cache control?

How do I get my website to save images to clients computer and use them, not redownload them every page reload?
I tried to send header("Cache-Control: max-age=3600"); but that had no effect.
You'll need to sand caching headers for the image files, not for your HTML document. You can use the header function only if the files are actually served by a PHP script - not if they are static files handled by the web server. If they are static files, check the documentation for your web server of choice.
Also consider sending en Expires header, and disable ETags.

Resources