Problem/Motivation

One of the worst things that could happen in regards to #2429287: [meta] Finalize the cache contexts API & DX/usage, enable a leap forward in performance is that we ship 8.0.x and then find something that should have had cacheable metadata, but does not and either introduces a security issue (compare tokens) or that it should at least mark itself uncacheable, but lets one opt-in to it being cacheable.

Proposed resolution

Audit core for things missing cacheable metadata, e.g.:

- Does it have tags (pretty complete), but is missing contexts? (e.g. is it varying on something external, but not specifying that)
- Does it have contexts, but is missing tags? (e.g. Is invalidation a problem once this becomes cacheable)

Remaining tasks

- Audit
- Discuss

User interface changes

API changes

Data model changes

Comments

Fabianx’s picture

Fabianx CreditAttribution: Fabianx as a volunteer commented
Issue tags: -Triaged D8 critical, -blocker, -D8 Accelerate Dev Days
Wim Leers’s picture

Wim Leers
Location Ghent 🇧🇪🇪🇺
CreditAttribution: Wim Leers at Acquia commented
Issue summary: View changes

I don't think we'll find more skeletons in the closet.

Thanks to #1805054: Cache localized, access filtered, URL resolved, and rendered menu trees, #606840: Enable internal page cache by default and #2429617: Make D8 2x as fast: Dynamic Page Cache: context-dependent page caching (for *all* users!), we've uncovered piles of things missing cacheability metadata. At this point, the only things we're discovering are APIs that are pretty much unused in Drupal 8 core (i.e. #2525910: Ensure token replacements have cacheability + attachments metadata and that it is bubbled in any case), of which we only have very few.

I think that if anything remains, we'll only actually discover it after D8 ships. But, sure, we should do another sweep.

cosmicdreams’s picture

cosmicdreams CreditAttribution: cosmicdreams as a volunteer commented

How would one even audit core to see if it needs better support for cacheability. Are we talking about reading through all the code?

Fabianx’s picture

Fabianx CreditAttribution: Fabianx as a volunteer commented

#3 Yes! Of course.

I already have ordered a horde of monkeys to do so ...

Uhm, no, not really. The important thing is to look at subsystems we do support in Core and see if there is any hidden cacheability problems.

But then for each subsystem we do need to look at the code, yes.

Berdir’s picture

Berdir
Primary language German
Location Switzerland
CreditAttribution: Berdir at MD Systems GmbH commented

Not sure how this issue is different from e.g. #2467071: [meta] Find, fix & finish cache tag support: try to find broken scenarios as the anonymous user

The title is only about cache tags and anonymous users atm, but there's no reason to not expand it to auth users and cache contexts as well?

Wim Leers’s picture

Wim Leers
Location Ghent 🇧🇪🇪🇺
CreditAttribution: Wim Leers at Acquia commented

#5: That other issue was specifically about Page Cache. So indeed only for anon user.

Fabianx’s picture

Fabianx CreditAttribution: Fabianx as a volunteer commented
Title: Audit core for things missing cacheable metadata » Audit core for things missing cacheable metadata (for authenticated users)

I think it makes sense to split things up; clarified title.

moshe weitzman’s picture

moshe weitzman CreditAttribution: moshe weitzman at Acquia commented

This issue is not actionable IMO. Its sort of like 'Find any bugs in my subsystem'. I think it should be closed and bugs can be reported separately as needed.

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Berdir’s picture

Berdir
Primary language German
Location Switzerland
CreditAttribution: Berdir at MD Systems GmbH commented
Status: Active » Closed (won't fix)

Agreed. This was open for two years, there is no specific goal. I'd say we close this.