closes SAS-1474, SAS-1452
canvas server-side, when:
* a canvas request would generate a redirect to an inst-fs file
* but the request also includes a `X-Canvas-File-Location` header
* and the request is session authenticated
then the server instead responds with a JSON object with:
* a `location` field containing the nominal redirect target
* a `token` field containing a token that can be used as a value for
an `Authorization: Bearer <token>` header when requesting the file
a service worker is then added that intercepts non-navigation GET
requests to those endpoints. it adds the X-Canvas-File-Location header
to the request, and then issues a followup request for the returned
location with the Authorization header added. in effect, it's following
the redirect but with the Authorization header injected. inst-fs can
then recognize the Authorization header as a means of user
authentication in the absence of cookies.
finally, the service worker is installed only if:
* the plugin setting controlling it is enabled
* the browser is Safari 13+
other browsers are able to use simpler work arounds when cookie blocking
is enabled and can thus take advantage otherwise.
test-plan:
* have canvas and inst-fs both served over https
* for safari, be using 13.1 or newer with tracking prevention enabled
* leave the service worker disabled through the inst-fs plugin setting
* have an image uploaded to inst-fs
* visit the image's preview page in the files UI:
- in safari: observe the image fails to load
- in chrome: observe the image successfully loads
* enable the service worker via the plugin setting
* refresh the image's preview page:
- in safari: observe the image now successfully loads
- in chrome: the image still successfully loads, but does so without
involving the service worker
Change-Id: Ie28f2cad40f67549bfbb4c7c6604f215581fbe18
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/237135
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
QA-Review: Jeremy Stanley <jeremy@instructure.com>
Product-Review: Jacob Fugal <jacob@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
f71f1aa81d