In using ActiveStorage’s proxy mode:
config.active_storage.resolve_model_to_route = :rails_storage_proxy
I was surprised to find that Rails returns both Cache-Control: max-age=3155695200, public AND Set-Cookie: _app_session=... when GETing ActiveStorage uploaded files via the proxy URL. Caching cookie session data does not seem like a good idea and I was surprised to find little mention of this online or in the codebase (maybe I’m missing something obvious?).
As a work around I have setup an initializer to instruct the ActiveStorage::Blobs::ProxyController controller to not return the session AND not cache any set-cookie headers should they slip through on the show action:
Rails.application.config.to_prepare do
ActiveStorage::Blobs::ProxyController.class_eval do
after_action -> { request.session_options[:skip] = true }, only: :show
after_action -> { response.headers["Cache-Control"].present? ? response.headers["Cache-Control"] += ", no-cache='set-cookie'" : response.headers["Cache-Control"] = "no-cache='set-cookie'" }, only: :show
end
end
It seems like there should be some convention or logic in Rails regarding Cache-Control and Set-Cookie where Rails automatically strips Set-Cookie headers from any responses that could result in shared caches (proxies, CDNs) storing cookie data. Has this been discussed or considered before? Is there a better approach?
