Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-28599

Blob properties should expose final URL if possible

    XMLWordPrintable

    Details

    • Release Notes Summary:
      Blob properties can expose a final URL with a parameter.
    • Impact type:
      Configuration Change
    • Upgrade notes:
      Hide

      If a document's blob provider is configured for direct download, it's now possible to get direct links to the final download URL (to S3 or CloudFront typically) returned in the JSON document output.

      To activate this feature, the following must be configured:

        <require>org.nuxeo.ecm.core.io.download.DownloadService</require>
        <extension target="org.nuxeo.runtime.ConfigurationService" point="configuration">
          <property name="org.nuxeo.download.url.follow.redirect">true</property>
        </extension>
      
      Show
      If a document's blob provider is configured for direct download, it's now possible to get direct links to the final download URL (to S3 or CloudFront typically) returned in the JSON document output. To activate this feature, the following must be configured: <require> org.nuxeo.ecm.core.io.download.DownloadService </require> <extension target= "org.nuxeo.runtime.ConfigurationService" point= "configuration" > <property name= "org.nuxeo.download.url.follow.redirect" > true </property> </extension>
    • Team:
      FG
    • Sprint:
      nxFG 11.1.12

      Description

      Currently, when we marshall a Blob property in JSON, we give the DownloadHelper based URL.

      When S3 DirectUpload/Download is configured, the client is then redirected (302) to the S3 URL (can be Cloudfront): https://github.com/nuxeo/nuxeo/blob/master/nuxeo-core/nuxeo-core-io/src/main/java/org/nuxeo/ecm/core/io/marshallers/json/document/DocumentPropertyJsonWriter.java#L311

      However in some cases, when the blob is requested through an AJAX request, it ends up in a CORS error because the Origin header is lost during the redirect (cf https://stackoverflow.com/questions/30193851/ajax-call-following-302-redirect-sets-origin-to-null).

      NOTE that this problem only occurs if the webapp and the Nuxeo server run on different domains, as in this situation the webapp makes a first cross-origin request to Nuxeo, which does a redirect to another cross-origin domain (at which point the Origin is set to null — this is per spec and done to avoid CSRF issues in case of a compromised server doing rogue redirects).

      When we can, we should directly give the S3 of CloudFront pre-signed URL to download the blob.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 4 hours
                  4h