Remove DownloadService cache settings override

Nuxeo Caching Headers of DownloadService

Context

Here a schema which summarises browser caching strategies.

In org.nuxeo.ecm.core.io.download.DownloadServiceImpl#addCacheControlHeaders (used in org.nuxeo.ecm.webengine.model.io.BlobWriter)

The following settings for caching are set and override the configuration done in org.nuxeo.ecm.platform.web.common.encoding.NuxeoEncodingFilter from org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerManager contributions:

Cache-Control: private, must-revalidate
ETag: ...
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT

So each time a thumbnail, image or blob in general is downloaded, if the browser has to re-execute the same request it will check with the eTag another time again the server to get a 403 not modified response.

For instance, the result obtained for requesting a document listing with 10 thumbnails to display will be 1 second of 403 not modified call checks from the browser (on a simple AWS instance like http://webui.demo.nuxeo.com/nuxeo/ui/)

Solution

We need to remove this override setting to be able for instance to customize the downloadservice cache (
This setting can be contributed via this extension point). Here is a setting example :

<component name="org.nuxeo.browser.cache.settings">
  <require>org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService.defaultContrib</require>
  <extension target="org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerService"
             point="responseHeaders">
    <header name="X-UA-Compatible">IE=10; IE=11</header>
    <header name="Cache-Control">private, max-age=60, must-revalidate</header>
    <header name="X-Content-Type-Options">nosniff</header>
    <header name="X-XSS-Protection">1; mode=block</header>
    <header name="X-Frame-Options">${nuxeo.frame.options:=SAMEORIGIN}</header>
    <header name="Content-Security-Policy">default-src *; script-src 'unsafe-inline' 'unsafe-eval' data: *; style-src 'unsafe-inline' *; font-src data: *
    </header>
  </extension>

</component>

-> <header name="Cache-Control">private, max-age=60, must-revalidate</header>

• The cache stays private
• We keep the etag if If-None-Match header is present in the request
• We remove the wrong useless Expires header and replace it by max-age set to 1 minute (more modern way of setting cache expiry time)
• We let must-revalidate to explicitly mention that "once the cache expires, refuse to return stale responses to the user even if they say that stale responses are acceptable"

Result:

• The first time as usual, the assets are downloaded from the server with 200 OK status
• The second time the page is refreshed within the 1 minute, the browser is only getting the assets from its cache and not doing the revalidation from the server -> we avoid the 403 not modified round trip and gain 100 ms for each blob display.