Previously we used the Node default behavior of just closing the
socket. This made it difficult for load balancers to understand if the
backend is buggy or the client request was bad (if Node is validating
something more strictly than the load balancer).
This only takes effect on Node 6; in older versions the socket is
already destroyed before the event is invoked. See
https://github.com/nodejs/node/pull/4557/ for details.
Previously we did not take the JsCssRewriteHook (i.e. CDN host)
into account when doing CSS-only "version-refreshable" HCP.
It is not possible on the client to rewrite CSS urls to take the
hook into account (as it is a function), so instead, we just
publish those CSS URLs post-transform.
To ensure we don’t hot code push JavaScript that is incompatible with
the bundled native code, we calculate a hash based on the platform and
plugin versions.
Not setting the Access-Control-Allow-Origin header avoids Cordova apps
built with Meteor < 1.3 from downloading manifest.json and thus blocks
autoupdate.
When downloading files during a Cordova hot code push, we need to
detect if a file is not available instead of inadvertently downloading
the default index page.
If we serve files with a Last-Modified based on the file date, this
interferes with content-based cache validation using ETag because
clients are required to take both into account.
We previously served non-cacheable files with a max-age of a day. This was done
to avoid image flickering on page reload (see #773).
As far as I can tell, image flickering still occurs because `location.reload`
always forces validation. But switching to `location.replace` means that max-age
will actually be respected, and we don't want to cache these assets for a day
because then changes would not be visible on reloads.
Previously, the ETag header was set (by `send`) to a default value based on the
inode of the file. Using the asset hash instead allows for proper conditional
requests even after redeployments.
To take advantage of content-based caching, we also have to disable the
Last-Modified header because having this set to the file date would still make
requests conditional on the most recent deployment. This requires updating the
send dependency and is done in a separate commit.
Fixes#626.
This commit allows middleware to set the status code of the http response. This will allow a server-side router to return, for example, a '404 Not Found' response. This has SEO benefits because currently search engines may index example.org/page-that-doesn't-exist because Meteor returns a 200 OK code and the normal boilerplate response body. With a proper 404 status we can still return the boilerplate to render a client side 404 template but search engines won't index the page. Instead of a hardcoded 200 response, we call res.writeHead with res.statusCode, and fallback to the default 200 code if it has not been set.
Add a bundledJsCssUrlRewriteHook function, which takes in a function and applies it
to the URL. Do not allow this on Cordova (handle that by just not calling it on Cordova).
Reimplement the bundledJsCssPrefix as a call to this function.
Fixes#3730.
Testing Done:
Manual testing based on the report in #3730. Also confirmed that `</script>` is not a problem.
I would have added a test-packages test but there's no easy way to override Meteor.settings in test-packages.
Bugs closed: 3730
Reviewed at https://rbcommons.com/s/meteor/r/1/
Also remove SIGHUP handler. This was designed for a legacy system, and
SIGHUP would be a better fit for what autoupdate currently uses SIGUSR2
for. This includes removing some code in the ddp server to close
sockets on SIGHUP.
This commit moves parent pid process from the webapp package to the boot
script. This means that daemonized apps without webapp will also exit
when the runner exits, if run from the runner. (For example, several
self-tests such as 'autoupdate' no longer leak node processes.) This is
controlled via the $METEOR_PARENT_PID environment variable instead of
from command line arguments, in order to make fewer assumptions about
how Meteor apps process arguments.
This also drops the old --keepalive support (which already has stopped
being used by the dev mode runner or any MDG deployment platforms).
Neither --parent-pid nor --keepalive were documented beforehand, and
--keepalive was already deprecated before 1.0.
These flags used to also incidentally trigger printing the LISTENING
line; this is now controlled by $METEOR_PRINT_ON_LISTEN.
Fixes#3315.
Cordova serves assets directly from the device so it doesn’t make sense to hit the CDN for them. Besides it causes issues because they are served from /__cordova (on the real webserver) anyway.
If we use `__meteor_runtime_config__.ROOT_URL` directly, as we were
previously, then we end up sending Cordova clients to http:// URLs even
if force-ssl is being used in the app. This is fairly bad on its own
(always sending cordova clients to http:// URLs instead of https://),
but made even worse by the fact that we don't set CORS headers on
force-ssl redirects (that is, the app breaks completely if the client
makes a DDP connection to an http:// URL for a force-ssl app).
