Changeset 2480423

Timestamp:

02/24/2021 08:15:34 AM (5 years ago)

Author:

imageengine

Message:

Improved CORS compatibility, Added Permissions-Policy

Location:

image-cdn

Files:

• tags/1.1.0 (copied) (copied from image-cdn/trunk)
• tags/1.1.0/image-cdn.php (copied) (copied from image-cdn/trunk/image-cdn.php)
• tags/1.1.0/imageengine/class-imagecdn.php (copied) (copied from image-cdn/trunk/imageengine/class-imagecdn.php)
• tags/1.1.0/imageengine/class-rewriter.php (copied) (copied from image-cdn/trunk/imageengine/class-rewriter.php)
• tags/1.1.0/readme.txt (copied) (copied from image-cdn/trunk/readme.txt)
• tags/1.1.0/templates/settings.php (copied) (copied from image-cdn/trunk/templates/settings.php)
• trunk/image-cdn.php (modified) (2 diffs)
• trunk/imageengine/class-imagecdn.php (modified) (7 diffs)
• trunk/imageengine/class-rewriter.php (modified) (1 diff)
• trunk/imageengine/class-settings.php (modified) (2 diffs)
• trunk/readme.txt (modified) (1 diff)
• trunk/templates/settings.php (modified) (3 diffs)

image-cdn/trunk/image-cdn.php

@@ -17 +17 @@
  * Text Domain:       image-cdn
  * License:           GPLv2 or later
- * Version:           1.1.0
+ * Version:           1.1.1
  */
+
+// Update this then you update "Requires at least" above!
+define( 'IMAGE_CDN_MIN_WP', '4.6' );
+
+// Update this when you update the "Version" above!
+define( 'IMAGE_CDN_VERSION', '1.1.1' );
 
 // Load plugin files.
@@ -30 +36 @@
 define( 'IMAGE_CDN_DIR', __DIR__ );
 define( 'IMAGE_CDN_BASE', plugin_basename( __FILE__ ) );
-define( 'IMAGE_CDN_MIN_WP', '3.8' );
 
 add_action( 'plugins_loaded', array( ImageEngine\ImageCDN::class, 'instance' ) );

image-cdn/trunk/imageengine/class-imagecdn.php

@@ -1 +1 @@
 <?php
 /**
- * This file contains the ImageCDN class
+ * This file contains the ImageCDN class.
  *
  * @package ImageCDN
@@ -22 +22 @@
 
     /**
-     * Singleton Rewriter instance
+     * Client hints.
+     *
+     * @var []string
+     */
+    private static $client_hints = array(
+        'Viewport-Width',
+        'Width',
+        'DPR',
+        /**
+         * Disabled for CORS compatibility:
+         * 'ECT',
+         * 'Device-Memory',
+         * 'RTT',
+         * 'Downlink',
+         */
+    );
+
+    /**
+     * Client hints that do not require CORS preflight confirmation.
+     *
+     * @var []string
+     */
+    private static $safe_client_hints = array(
+        'Viewport-Width',
+        'Width',
+        'DPR',
+    );
+
+    /**
+     * Singleton Rewriter instance.
      *
      * @var Rewriter
      */
     private static $rewriter;
+
+    /**
+     * If true, some functionality will be augmented to facilitate testing.
+     *
+     * @internal
+     * @var bool
+     */
+    public static $tests_running = false;
+
+    /**
+     * Captures headers written during unit testing.
+     *
+     * @internal
+     * @var []string
+     */
+    public static $test_headers_written = array();
+
+    /**
+     * Options that will be used during unit testing.
+     *
+     * @internal
+     * @var []string
+     */
+    public static $test_options = array();
 
     /**
@@ -41 +94 @@
             add_filter( 'the_content', array( self::class, 'rewrite_html' ), 100 );
 
-            // Resource hints.  Note that the 'wp_head' is disabled for the time being due to CORS incompatibility.
-            // add_action( 'wp_head', array( self::class, 'add_head_tags' ), 0 );    .
+            /**
+             * Resource hints.  Note that the 'wp_head' is disabled for the time being due to CORS incompatibility.
+             * add_action( 'wp_head', array( self::class, 'add_head_tags' ), 0 );
+             */
             add_action( 'send_headers', array( self::class, 'add_headers' ), 0 );
 
@@ -63 +118 @@
 
     /**
+     * Outputs an HTTP header.
+     *
+     * @param string $key HTTP header key.
+     * @param string $value HTTP header value.
+     */
+    private static function header( $key, $value ) {
+        $val = "$key: $value";
+        if ( self::$tests_running ) {
+            self::$test_headers_written[] = $val;
+            return;
+        }
+
+        header( $val );
+    }
+
+    /**
      * Add http headers for Client Hints, Feature Policy and Preconnect Resource Hint.
      */
     public static function add_headers() {
-        // Add client hints.
-        header( 'Accept-CH: viewport-width, width, device-memory, dpr, downlink, ect' );
+        self::header( 'Accept-CH', strtolower( implode( ', ', self::$client_hints ) ) );
 
         // Add resource hints and feature policy.
         $options = self::get_options();
         $host    = wp_parse_url( $options['url'], PHP_URL_HOST );
-        if ( ! empty( $host ) ) {
-            $protocol = ( is_ssl() ) ? 'https://' : 'http://';
-            header( 'Link: <' . $protocol . $host . '>; rel=preconnect' );
-            header( 'Feature-Policy: ch-viewport-width ' . $protocol . $host . '; ch-width ' . $protocol . $host . '; ch device-memory ' . $protocol . $host . '; ch-dpr ' . $protocol . $host . '; ch-downlink ' . $protocol . $host . '; ch-ect ' . $protocol . $host . ';' );
-        }
+        if ( empty( $host ) ) {
+            return;
+        }
+
+        $protocol = is_ssl() ? 'https' : 'http';
+
+        // Add Preconnect header.
+        self::header( 'Link', "<{$protocol}://{$host}>; rel=preconnect" );
+
+        // Add Feature-Policy header.
+        // @deprecated in favor of Permissions-Policy and will be removed once adaquate market
+        // adoption has been reached (90-95%).
+        $features = array();
+        foreach ( self::$client_hints as $hint ) {
+            $features[] = strtolower( "ch-{$hint} {$protocol}://{$host}" );
+        }
+        self::header( 'Feature-Policy', strtolower( implode( '; ', $features ) ) );
+
+        $permissions = array();
+        foreach ( self::$client_hints as $hint ) {
+            $permissions[] = strtolower( "ch-{$hint}=(\"{$protocol}://{$host}\")" );
+        }
+        // Add Permissions-Policy header.
+        // This header replaced Feature-Policy in Chrome 88, released in January 2021.
+        // @see https://github.com/w3c/webappsec-permissions-policy/blob/main/permissions-policy-explainer.md#appendix-big-changes-since-this-was-called-feature-policy .
+        self::header( 'Permissions-Policy', strtolower( implode( ', ', $permissions ) ) );
     }
 
@@ -85 +176 @@
     public static function add_head_tags() {
         // Add client hints.
-        echo '    <meta http-equiv="Accept-CH" content="DPR, Viewport-Width, Width">' . "\n";
+        echo '    <meta http-equiv="Accept-CH" content="' . esc_attr( implode( ', ', self::$client_hints ) ) . '">' . "\n";
 
         // Add resource hints.
@@ -118 +209 @@
         );
     }
+
+    /**
+     * Gets the list of active client hints.
+     *
+     * @return array client hints.
+     */
+    public static function get_client_hints() {
+        return self::$client_hints;
+    }
+
+    /**
+     * Gets the list of safe client hints.
+     *
+     * @return array client hints.
+     */
+    public static function get_safe_client_hints() {
+        return self::$safe_client_hints;
+    }
+
+    /**
+     * Gets the list of active unsafe client hints.
+     *
+     * @return array client hints.
+     */
+    public static function get_unsafe_client_hints() {
+        return array_diff( self::$client_hints, self::$safe_client_hints );
+    }
+
 
     /**
@@ -269 +388 @@
      */
     public static function get_options() {
+        if ( self::$tests_running ) {
+            return self::$test_options;
+        }
         return wp_parse_args( get_option( 'image_cdn' ), self::default_options() );
     }

image-cdn/trunk/imageengine/class-rewriter.php

@@ -116 +116 @@
      */
     public function exclude_asset( $asset ) {
+        $path = strtolower( wp_parse_url( $asset, PHP_URL_PATH ) );
+
         // Excludes.
         foreach ( $this->excludes as $exclude ) {
-            if ( $exclude && stripos( $asset, $exclude ) !== false ) {
+            if ( '' === $exclude ) {
+                continue;
+            }
+
+            if ( false !== strpos( $path, strtolower( $exclude ) ) ) {
                 return true;
             }
         }
+
         return false;
     }

image-cdn/trunk/imageengine/class-settings.php

@@ -255 +255 @@
         if ( ! isset( $cdn_res['headers']['content-type'] ) ) {
             $out['type']    = 'warning';
-            $out['message'] = 'Unable to confirm that the CDN is working properly because it didn\'t send a content type';
+            $out['message'] = 'Unable to confirm that the CDN is working properly because it didn\'t send Content-Type';
             wp_send_json_error( $out );
         }
@@ -262 +262 @@
         if ( strpos( $cdn_type, 'image/png' ) === false ) {
             $out['type']    = 'error';
-            $out['message'] = "CDN returned the wrong content type (expected 'image/png', got '$cdn_type'";
-            wp_send_json_error( $out );
-        }
+            $out['message'] = "CDN returned the wrong content type (expected 'image/png', got '$cdn_type')";
+            wp_send_json_error( $out );
+        }
+
+        /**
+         * This check it commented out until we can confirm that it properly tests CORS functionality.
+         *
+         * $unsafe_hints = ImageCDN::get_unsafe_client_hints();
+         * if ( 0 < count( $unsafe_hints ) ) {
+         *     $cors_error = true;
+         *     if ( ! array_key_exists( 'access-control-allowed-headers', $cdn_res['headers'] ) ) {
+         *         $out['type']    = 'warning';
+         *         $out['message'] = 'Unable to confirm that the CDN supports client-hints because it didn\'t send Access-Control-Allow-Headers.  Fonts may not work if served from the CDN.';
+         *         wp_send_json_error( $out );
+         *     }
+         *
+         *     $allowed       = preg_split( '/ +/', trim( $cdn_res['headers']['access-control-allowed-headers'] ) );
+         *     $missing_hints = array_diff( $unsafe_hints, $allowed );
+         *     if ( 0 < count( $missing_hints ) ) {
+         *         $out['type']    = 'warning';
+         *         $out['message'] = 'Unable to confirm that the CDN supports advanced client-hints because it is missing some active client-hints in Access-Control-Allow-Headers (' . implode( ',', $missing_hints ) . ').  Fonts may not work if served from the CDN.';
+         *         wp_send_json_error( $out );
+         *     }
+         * }
+         */
 
         $out['type']    = 'success';

image-cdn/trunk/readme.txt

@@ -121 +121 @@
 == Changelog ==
 
+= 1.1.1 =
+* Improved CORS compatibility
+* Removed downlink and ect hint
+* Added Permissions-Policy header
+
 = 1.1.0 =
 * Fixed compatibility issue with Divi

image-cdn/trunk/templates/settings.php

@@ -19 +19 @@
             ?>
         </p>
-        <p><?php esc_html_e( 'To obtain an ImageEngine Delivery Address' ); ?>:</p>
+        <p><?php esc_html_e( 'To obtain an ImageEngine Delivery Address:' ); ?></p>
         <ol>
             <li><a target="_blank" href="https://imageengine.io/signup/?website=<?php echo esc_attr( get_site_url() ); ?>&?utm_source=WP-plugin-settigns&utm_medium=page&utm_term=wp-imageengine&utm_campaign=wp-imageengine">Sign up for an ImageEngine account</a></li>
             <li>
-            <?php
+                <?php
                 printf(
                     // translators: 1: http code example 2: https code example.
@@ -35 +35 @@
         <p>See <a href="https://imageengine.io/docs/setup/quick-start/?utm_source=WP-plugin-settigns&utm_medium=page&utm_term=wp-imageengine&utm_campaign=wp-imageengine" target="_blank">full documentation.</a></p>
     </div>
-    <h2><?php esc_html_e( 'Image CDN Settings', 'image-cdn' ); ?></h2>
+    <h2>
+        <?php
+        printf(
+            // translators: %s is the plugin version number.
+            'Image CDN Settings (version %s)',
+            esc_attr( IMAGE_CDN_VERSION )
+        )
+        ?>
+    </h2>
     <?php if ( $options['enabled'] && ! $is_runnable ) { ?>
         <div class="notice notice-error">
@@ -120 +128 @@
                         <label for="image_cdn_dirs">
                             <input type="text" name="image_cdn[dirs]" id="image_cdn_dirs" value="<?php echo esc_attr( $options['dirs'] ); ?>" size="64" class="regular-text code" />
-                            <?php esc_html_e( 'Default', 'image-cdn' ); ?>: <code><?php echo esc_html( $defaults['dirs'] ); ?></code>
-                        </label>
-
-                        <p class="description">
-                            <?php esc_html_e( 'Assets in these directories will be pointed to the CDN URL. Enter the directories separated by', 'image-cdn' ); ?> <code>,</code>
+                            <?php esc_html_e( 'Optional; Default:', 'image-cdn' ); ?> <code><?php echo esc_html( $defaults['dirs'] ); ?></code>
+                        </label>
+
+                        <p class="description">
+                            <?php esc_html_e( 'Assets in these directories will be served by the CDN. Enter the directories separated by', 'image-cdn' ); ?> <code>,</code>
                         </p>
                     </fieldset>