Sp-dev-docs: Assets are publicly available even when the CDN feature is turned off
Category
- [ ] Question
- [ ] Typo
- [x] Bug
- [ ] Additional article idea
Expected or Desired Behavior
When the Public CDN feature is turned off, I expect that the assets in the Style Library or Masterpage Gallert are only accessible for authorized users. When I enable the CDN feature I would expect them to be available publicly only through the CDN Url
Observed Behavior
All the extensions that would be available through the public CDN feature are publicly available through their original URL even when the CDN feature is turned off.
Steps to Reproduce
Put an image or css file in the style library of a site collection, make sure it's published. Open a browser in InPrivate mode. Paste the original URL e.g. https://tenant.sharepoint.com/sites/sitecollection/Style%20Library/yourfile.css. Notice that the file is being served without any request for authentication
bjdekker
All 7 comments
So, just to clarify, The request is coming through with a tenant.sharepoint.com URL? In that case, the CDN isn't involved, that's just pure SharePoint.
This sounds more like a product issue rather than a developer issue (the general focus of this issues list), but let's see if I can help direct the initial investigation anyhow.
If you look at the request for the resource in the network tab in the developer tools, can you double check that there are no auth flows running? If you look at the actual .css request, does the etag variable have a "pub" written at the end of it? If it does, can you try the following:
Create another file with a non-standard extension (say foo.text). If you make a request for foo.text, are you prompted for auth?
patmill
on 21 Mar 2018
Thanks for the quick reply. I requested a css file, this does have pub written at the end of the Etag response haddeer. The value is: ETag:"{20EEF0E4-1F7B-4D67-A8A8-66A0EBF41C22},8pub".
I opened a new incognito browser window and requested the css file. It was opened directly:
These are the request headers, as you can see, no token is sent:
If I do the same for foo.text, in the same folder, I am prompted for auth:
Agree with you that this indeed is rather a product issue. What's the best place to report this? I tried issuing a service request, and the support engineer directed me to uservoice, but this isn't really a feature request either. I think it's something that doesn't work as expected and that people should be aware of. Is there an issuelist for SharePoint product related issues?
bjdekker
on 21 Mar 2018
Can confirm this behaviour. The assets in Style Library are publicly available even on tenants which have never had the Office 365 CDN turned on.
vman
on 22 Mar 2018
Not ignoring this thread, just collecting information from various parties before responding fully.
patmill
on 23 Mar 2018
Hi Pat, are there already some updates to share?
bjdekker
on 12 Apr 2018
Sorry for the delay. While this behaviour was deliberate (and will continue to exist for on-prem customers where there is a significantly higher amount of configurability), our new recommended pattern for this is the public CDN feature, and as such a change will be rolling out to SharePoint online over the next few weeks to require authentication for all files in the style library.
patmill
on 12 Apr 2018
Thanks for your reply! Good to know that this will be fixed!
bjdekker
on 16 Apr 2018
Related issues
Ralms
路
3Comments
jonthenerd
路
3Comments
christianbueschi
路
3Comments
patrick-rodgers
路
3Comments
StfBauer
路
3Comments