In some places we prevented cache poisoning, in others we did not. We
also did not place any restriction on the minimum value for a revision.
This change introduces a new set of functions for configonly endpoints
which validates the revision numbers passed in. If the revision is
either too old, or too new, it is rejected and the file content is not
cached. The content is still served, but caching headers are not sent,
and any local storage caching is prevented.
The current time is used as the maximum version, with 60 seconds added
to allow for any clock skew between cluster nodes. Previously some
locations used one hour, but there should never be such a large clock
skew on a correctly configured system.
Co-authored-by: Andrew Nicols <andrew@nicols.co.uk>
Part of MDL-75966
This commit adds a cache-busting loader API for use in the TinyMCE
plugin.
This is not for use in any TinyMCE subplugins at this time as we have no
use-case outside of AMD modules.
This loader ensures that only files within the js/tiny directory are
loaded, and it only supports either .js or .css files at this time.
The client-side of the loader makes use of the jsrevision as a
cache-buster, including for CSS files included with TinyMCE.
If the revision is negative, then files are not cached.
If the revision is positive, then the requested file is cached in a
candidate file and served using aggressive cache headers.