[jira] [Updated] (SLING-6708) Sling Dynamic Include - Usage of nocache selector allows uncached access to everything

[Henry Kuijpers (JIRA)]

     [ 
https://issues.apache.org/jira/browse/SLING-6708?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Henry Kuijpers updated SLING-6708:
----------------------------------
    Description: 
The SDI module works with a nocache-selector (or a selector that we arbitrarily 
choose).

However, we cannot guarantee that only SDI's requests come in through the 
nocache-selector. It can be any request.

This document says https://github.com/Cognifide/Sling-Dynamic-Include
that we should configure the Dispatcher to not cache when `*.nocache.html*` can 
be applied to the request.

This means that anyone can use the nocache-selector on any request to bypass 
Dispatcher caching for html files.

It even means that ".nocache.html" can appear anywhere in the full request URL.

  was:
The SDI module works with a nocache-selector (or a selector that we arbitrarily 
choose).

However, we cannot guarantee that only SDI's requests come in through the 
nocache-selector. It can be any request.

This document says https://github.com/Cognifide/Sling-Dynamic-Include
that we should configure the Dispatcher to not cache when *.nocache.html* can 
be applied to the request.

This means that anyone can use the nocache-selector on any request to bypass 
Dispatcher caching for html files.

It even means that ".nocache.html" can appear anywhere in the full request URL.


> Sling Dynamic Include - Usage of nocache selector allows uncached access to 
> everything
> --------------------------------------------------------------------------------------
>
>                 Key: SLING-6708
>                 URL: https://issues.apache.org/jira/browse/SLING-6708
>             Project: Sling
>          Issue Type: Bug
>          Components: Extensions
>    Affects Versions: Dynamic Include 3.0.0, Dynamic Include 3.0.2
>            Reporter: Henry Kuijpers
>            Priority: Blocker
>
> The SDI module works with a nocache-selector (or a selector that we 
> arbitrarily choose).
> However, we cannot guarantee that only SDI's requests come in through the 
> nocache-selector. It can be any request.
> This document says https://github.com/Cognifide/Sling-Dynamic-Include
> that we should configure the Dispatcher to not cache when `*.nocache.html*` 
> can be applied to the request.
> This means that anyone can use the nocache-selector on any request to bypass 
> Dispatcher caching for html files.
> It even means that ".nocache.html" can appear anywhere in the full request 
> URL.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)