src/CdnFarfutureController.php                  | 25 ++++++++++++++-----------
 src/File/FileUrlGenerator.php                   |  6 +++---
 src/PathProcessor/CdnFarfuturePathProcessor.php | 14 ++++++++++----
 tests/src/Functional/CdnIntegrationTest.php     |  3 +++
 4 files changed, 30 insertions(+), 18 deletions(-)

diff --git a/src/CdnFarfutureController.php b/src/CdnFarfutureController.php
index aad83a6..ec7ec75 100644
--- a/src/CdnFarfutureController.php
+++ b/src/CdnFarfutureController.php
@@ -43,8 +43,8 @@ class CdnFarfutureController {
    * Serves the requested file with optimal far future expiration headers.
    *
    * @param \Symfony\Component\HttpFoundation\Request $request
-   *   The current request. $request->query must have root_relative_file_url,
-   *   set by \Drupal\cdn\PathProcessor\CdnFarfuturePathProcessor.
+   *   The current request. $request->query must have relative_file_url, set by
+   *   \Drupal\cdn\PathProcessor\CdnFarfuturePathProcessor.
    * @param string $security_token
    *   The security token. Ensures that users can not request any file they want
    *   by manipulating the URL (they could otherwise request settings.php for
@@ -54,26 +54,26 @@ class CdnFarfutureController {
    * @param string $scheme
    *   The file's scheme.
    *
-   * @returns \Symfony\Component\HttpFoundation\BinaryFileResponse
+   * @return \Symfony\Component\HttpFoundation\BinaryFileResponse
    *   The response that will efficiently send the requested file.
    *
    * @throws \Symfony\Component\HttpKernel\Exception\BadRequestHttpException
-   *   Thrown when the 'root_relative_file_url' query argument is not set, which
-   *   can only happen in case of malicious requests or in case of a malfunction
-   *   in \Drupal\cdn\PathProcessor\CdnFarfuturePathProcessor.
+   *   Thrown when the 'relative_file_url' query argument is not set, which can
+   *   only happen in case of malicious requests or in case of a malfunction in
+   *   \Drupal\cdn\PathProcessor\CdnFarfuturePathProcessor.
    * @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
    *   Thrown when an invalid security token is provided.
    */
   public function downloadByScheme(Request $request, $security_token, $mtime, $scheme) {
     // Validate the scheme early.
-    if (!$request->query->has('relative_file_url') || ($scheme != FileUrlGenerator::RELATIVE && !$this->fileSystem->validScheme($scheme))) {
+    if (!$request->query->has('relative_file_url') || ($scheme !== FileUrlGenerator::RELATIVE && !$this->fileSystem->validScheme($scheme))) {
       throw new BadRequestHttpException();
     }
 
     $path = $request->query->get('relative_file_url');
     // A relative URL for a file contains '%20' instead of spaces. A relative
     // file path contains spaces.
-    $uri = $scheme == FileUrlGenerator::RELATIVE
+    $uri = $scheme === FileUrlGenerator::RELATIVE
       ? $path
       // Path comes with a leading slash from the URL.
       : $scheme . ':/' . $path;
@@ -84,7 +84,7 @@ class CdnFarfutureController {
     }
 
     // Strip the leading slash for truly relative paths.
-    if ($scheme == FileUrlGenerator::RELATIVE) {
+    if ($scheme === FileUrlGenerator::RELATIVE) {
       $uri = substr($path, 1);
     }
 
@@ -106,7 +106,7 @@ class CdnFarfutureController {
    * @param int $mtime
    *   The file's mtime.
    *
-   * @returns \Symfony\Component\HttpFoundation\BinaryFileResponse
+   * @return \Symfony\Component\HttpFoundation\BinaryFileResponse
    *   The response that will efficiently send the requested file.
    *
    * @throws \Symfony\Component\HttpKernel\Exception\BadRequestHttpException
@@ -116,7 +116,10 @@ class CdnFarfutureController {
    * @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
    *   Thrown when an invalid security token is provided.
    *
-   * @deprecated This method is deprecated in favor of ::downloadByScheme
+   * @deprecated This method is deprecated in favor of ::downloadByScheme. Will be removed
+   *
+   * @deprecated in 3.3 and will be removed before CDN 4.0. Use
+   *   ::downloadByScheme() instead.
    */
   public function download(Request $request, $security_token, $mtime) {
     // Ensure \Drupal\cdn\PathProcessor\CdnFarfuturePathProcessor did its job.
diff --git a/src/File/FileUrlGenerator.php b/src/File/FileUrlGenerator.php
index 67439f1..8a7314b 100644
--- a/src/File/FileUrlGenerator.php
+++ b/src/File/FileUrlGenerator.php
@@ -212,10 +212,10 @@ class FileUrlGenerator {
     $scheme = $this->fileSystem->uriScheme($uri);
 
     // Allow additional stream wrappers to be served via CDN.
-    $streamWrapperTypes = $this->settings->getStreamWrappers();
+    $allowed_stream_wrappers = $this->settings->getStreamWrappers();
     // If the URI is absolute — HTTP(S) or otherwise — return early, except if
-    // it's an absolute URI using an approved stream wrapper type.
-    if ($scheme && !in_array($scheme, $streamWrapperTypes)) {
+    // it's an absolute URI using an allowed stream wrapper.
+    if ($scheme && !in_array($scheme, $allowed_stream_wrappers, TRUE)) {
       return FALSE;
     }
     // If the URI is protocol-relative, return early.
diff --git a/src/PathProcessor/CdnFarfuturePathProcessor.php b/src/PathProcessor/CdnFarfuturePathProcessor.php
index 10a114e..a56dd55 100644
--- a/src/PathProcessor/CdnFarfuturePathProcessor.php
+++ b/src/PathProcessor/CdnFarfuturePathProcessor.php
@@ -23,8 +23,9 @@ class CdnFarfuturePathProcessor implements InboundPathProcessorInterface {
    * {@inheritdoc}
    */
   public function processInbound($path, Request $request) {
+    // @todo Remove before CDN 4.0.
     if (strpos($path, '/cdn/farfuture/') === 0) {
-      return $this->processDeprecatedFarFuture($path, $request);
+      return $this->processLegacyFarFuture($path, $request);
     }
     if (strpos($path, '/cdn/ff/') === 0) {
       return $this->processFarFuture($path, $request);
@@ -40,7 +41,8 @@ class CdnFarfuturePathProcessor implements InboundPathProcessorInterface {
    * @param \Symfony\Component\HttpFoundation\Request $request
    *   The request.
    *
-   * @return string The processed path.
+   * @return string
+   *   The processed path.
    */
   protected function processFarFuture($path, Request $request) {
     // Parse the security token, mtime, scheme and root-relative file URL.
@@ -61,9 +63,13 @@ class CdnFarfuturePathProcessor implements InboundPathProcessorInterface {
    * @param \Symfony\Component\HttpFoundation\Request $request
    *   The request.
    *
-   * @return string The processed path.
+   * @return string
+   *   The processed path.
+   *
+   * @deprecated in 3.3 and will be removed before CDN 4.0. Use
+   *   ::processFarFuture() instead.
    */
-  protected function processDeprecatedFarFuture($path, Request $request) {
+  protected function processLegacyFarFuture($path, Request $request) {
     $tail = substr($path, strlen('/cdn/farfuture/'));
     list($security_token, $mtime, $root_relative_file_url) = explode('/', $tail, 3);
     $returnPath = "/cdn/farfuture/$security_token/$mtime";
diff --git a/tests/src/Functional/CdnIntegrationTest.php b/tests/src/Functional/CdnIntegrationTest.php
index da276bd..37f7f0f 100644
--- a/tests/src/Functional/CdnIntegrationTest.php
+++ b/tests/src/Functional/CdnIntegrationTest.php
@@ -178,6 +178,9 @@ class CdnIntegrationTest extends BrowserTestBase {
 
   /**
    * Tests the legacy far future path.
+   *
+   * @group legacy
+   * @todo Remove before CDN 4.0.
    */
   public function testOldFarfuture() {
     $druplicon_png_mtime = filemtime('public://druplicon ❤️.png');