search

google / android-fhir

The Android FHIR SDK is a set of Kotlin libraries for building offline-capable, mobile-first healthcare applications using the HL7® FHIR® standard on Android.
https://google.github.io/android-fhir/
Apache License 2.0
485 stars 288 forks source link

MINOR: README broken badge looks a bit ugly and gives bad first impression of project #2177

Closed vorburger closed 1 year ago

vorburger commented 1 year ago

image

Would you like to work on the issue? Yes, please assign this issue to me - I'll debug this a bit - just for fun! 😄

vorburger commented 1 year ago

I'll debug this a bit

So this is the badge from this in the MD: [![master](https://storage.googleapis.com/android-fhir-build-badges/build.svg)](https://storage.googleapis.com/android-fhir-build-badges/build.html), which GitHub transforms into:

<a href="https://storage.googleapis.com/android-fhir-build-badges/build.html" rel="nofollow"><img src="https://camo.githubusercontent.com/c292ff836930e8348c70fbb3f7e3abd125122ad272d30cba9a22b4e4953f4e75/68747470733a2f2f73746f726167652e676f6f676c65617069732e636f6d2f616e64726f69642d666869722d6275696c642d6261646765732f6275696c642e737667" alt="master" data-canonical-src="https://storage.googleapis.com/android-fhir-build-badges/build.svg" style="max-width: 100%;"></a>

So they turn https://storage.googleapis.com/android-fhir-build-badges/build.svg into https://camo.githubusercontent.com/c292ff836930e8348c70fbb3f7e3abd125122ad272d30cba9a22b4e4953f4e75/68747470733a2f2f73746f726167652e676f6f676c65617069732e636f6d2f616e64726f69642d666869722d6275696c642d6261646765732f6275696c642e737667 - I suspect because they're trying to be nice and not overwhelm other site and cache such badge images... cute, and fancy, and very how nice of GitHub - except it's broken!

The original https://storage.googleapis.com/android-fhir-build-badges/build.svg works:

$ curl -v https://storage.googleapis.com/android-fhir-build-badges/build.svg

*   Trying 142.250.203.123:443...
* Connected to storage.googleapis.com (142.250.203.123) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=storage.googleapis.com
*  start date: Aug 14 08:25:09 2023 GMT
*  expire date: Nov  6 08:25:08 2023 GMT
*  subjectAltName: host "storage.googleapis.com" matched cert's "storage.googleapis.com"
*  issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1C3
*  SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /android-fhir-build-badges/build.svg]
* h2h3 [:scheme: https]
* h2h3 [:authority: storage.googleapis.com]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x564b02230130)
> GET /android-fhir-build-badges/build.svg HTTP/2
> Host: storage.googleapis.com
> user-agent: curl/7.88.1
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 200 
< x-guploader-uploadid: ADPycdvMhLmAkdaw2HhJUe8WDuGC7ixOdgn-RuwDQwe4gZ_-Hk6I0M66u77ZlVgXfJu98EXCo1YHwDQAPREuuCEJDIg6Eg
< x-goog-generation: 1694794875681535
< x-goog-metageneration: 1
< x-goog-stored-content-encoding: identity
< x-goog-stored-content-length: 741
< x-goog-hash: crc32c=+LPJIg==
< x-goog-hash: md5=hpOOSUadVLnSZsoP8sUxRg==
< x-goog-storage-class: STANDARD
< accept-ranges: bytes
< content-length: 741
< server: UploadServer
< date: Fri, 15 Sep 2023 23:18:38 GMT
< expires: Sat, 16 Sep 2023 00:18:38 GMT
< cache-control: public, max-age=3600
< last-modified: Fri, 15 Sep 2023 16:21:15 GMT
< etag: "86938e49469d54b9d266ca0ff2c53146"
< content-type: application/octet-stream
< age: 1172
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
< 
* Connection #0 to host storage.googleapis.com left intact
<svg xmlns='http://www.w3.org/2000/svg' width='144' height='20'><linearGradient id='a' x2='0' y2='100%'><stop offset='0' stop-color='#bbb' stop-opacity='.1'/><stop offset='1' stop-opacity='.1'/></linearGradient><rect rx='3' width='144' height='20' fill='#555'/><rect rx='3' x='94' width='50' height='20' fill='#4EC820'/><path fill='#4EC820' d='M94 0h4v20h-4z'/><rect rx='3' width='144' height='20' fill='url(#a)'/><g fill='#fff' text-anchor='middle' font-family='DejaVu Sans,Verdana,Geneva,sans-serif' font-size='11'><text x='47' y='15' fill='#010101' fill-opacity='.3'>Build Status</text><text x='47' y='14'>Build Status</text><text x='119' y='15' fill='#010101' fill-opacity='.3'>passing</text><text x='119' y='14'>passing</text></g></svg>⏎

The cached https://camo.githubusercontent.com/c292ff836930e8348c70fbb3f7e3abd125122ad272d30cba9a22b4e4953f4e75/68747470733a2f2f73746f726167652e676f6f676c65617069732e636f6d2f616e64726f69642d666869722d6275696c642d6261646765732f6275696c642e737667 ... not so much:

$ curl -v https://camo.githubusercontent.com/c292ff836930e8348c70fbb3f7e3abd125122ad272d30cba9a22b4e4953f4e75/68747470733a2f2f73746f726167652e676f6f676c65617069732e636f6d2f616e64726f69642d666869722d6275696c642d6261646765732f6275696c642e737667
*   Trying 185.199.111.133:443...
* Connected to camo.githubusercontent.com (185.199.111.133) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.github.io
*  start date: Feb 21 00:00:00 2023 GMT
*  expire date: Mar 20 23:59:59 2024 GMT
*  subjectAltName: host "camo.githubusercontent.com" matched cert's "*.githubusercontent.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS RSA SHA256 2020 CA1
*  SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /c292ff836930e8348c70fbb3f7e3abd125122ad272d30cba9a22b4e4953f4e75/68747470733a2f2f73746f726167652e676f6f676c65617069732e636f6d2f616e64726f69642d666869722d6275696c642d6261646765732f6275696c642e737667]
* h2h3 [:scheme: https]
* h2h3 [:authority: camo.githubusercontent.com]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x55a8deaf3130)
> GET /c292ff836930e8348c70fbb3f7e3abd125122ad272d30cba9a22b4e4953f4e75/68747470733a2f2f73746f726167652e676f6f676c65617069732e636f6d2f616e64726f69642d666869722d6275696c642d6261646765732f6275696c642e737667 HTTP/2
> Host: camo.githubusercontent.com
> user-agent: curl/7.88.1
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 400 
< cache-control: no-cache, no-store, private, must-revalidate
< content-security-policy: default-src 'none'; img-src data:; style-src 'unsafe-inline'
< content-type: text/plain; charset=utf-8
< server: github-camo (ccb6cc8d)
< strict-transport-security: max-age=31536000; includeSubDomains
< x-content-type-options: nosniff
< x-frame-options: deny
< x-xss-protection: 1; mode=block
< x-github-request-id: 8E84:0EC0:1B693F2:1C8629C:6504EB3C
< accept-ranges: bytes
< date: Fri, 15 Sep 2023 23:40:00 GMT
< via: 1.1 varnish
< x-served-by: cache-fra-eddf8230105-FRA
< x-cache: MISS
< x-cache-hits: 0
< x-timer: S1694821200.924426,VS0,VE106
< x-fastly-request-id: f07d50cb623e6e4a705d55ebd18198b72f2d5843
< timing-allow-origin: https://github.com
< content-length: 32
< 
Non-Image content-type returned
vorburger commented 1 year ago

The Non-Image content-type returned from GitHub's https://varnish-cache.org likely is caused by Varnish being a MIME Zealot... Note how https://storage.googleapis.com/android-fhir-build-badges/build.svg is content-type: application/octet-stream - I suspect it probably doesn't like that, and is expecting an image MIME type, and doesn't want to cache the binary byte stream. That's perhaps a bit overly strict?

It does work for another SVG, for example https://github.com/google/android-fhir/actions/workflows/build.yml/badge.svg, because that has a image/svg+xml MIME header:

curl -v https://github.com/google/android-fhir/actions/workflows/build.yml/badge.svg
*   Trying 140.82.121.4:443...
* Connected to github.com (140.82.121.4) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=github.com
*  start date: Feb 14 00:00:00 2023 GMT
*  expire date: Mar 14 23:59:59 2024 GMT
*  subjectAltName: host "github.com" matched cert's "github.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1
*  SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /google/android-fhir/actions/workflows/build.yml/badge.svg]
* h2h3 [:scheme: https]
* h2h3 [:authority: github.com]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x557c9ea80130)
> GET /google/android-fhir/actions/workflows/build.yml/badge.svg HTTP/2
> Host: github.com
> user-agent: curl/7.88.1
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 200 
< server: GitHub.com
< date: Fri, 15 Sep 2023 23:45:01 GMT
< content-type: image/svg+xml; charset=utf-8
< vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
< cache-control: max-age=300, private
< etag: W/"c4d90947790db53933680c7197d7120c"
< strict-transport-security: max-age=31536000; includeSubdomains; preload
< x-frame-options: deny
< x-content-type-options: nosniff
< x-xss-protection: 0
< referrer-policy: no-referrer-when-downgrade
< content-security-policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events objects-origin.githubusercontent.com *.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ wss://*.actions.githubusercontent.com github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com support.github.com; img-src 'self' data: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/
< set-cookie: _gh_sess=,,, Path=/; HttpOnly; Secure; SameSite=Lax
< set-cookie: _octo=...; Path=/; Domain=github.com; Expires=Sun, 15 Sep 2024 23:45:01 GMT; Secure; SameSite=Lax
< set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Sun, 15 Sep 2024 23:45:01 GMT; HttpOnly; Secure; SameSite=Lax
< accept-ranges: bytes
< content-length: 2324
< x-github-request-id: E...
< 
<svg xmlns="http://www.w3.org/2000/svg" width="196" height="20">
...
vorburger commented 1 year ago

I have sent the following to support@github.com, and will update this based on what they say:

Subject: camo.githubusercontent.com Varnish MIME content-type header check is too strict and cache breaks SVG badges in MD In https://github.com/google/android-fhir/issues/2177 I have documented an analysis illustrating that your Varnish cache on camo.githubusercontent.com is configured a bit too strict with regards to MIME content-type header checking, and that instead of caching it actually breaks e.g. SVG badges in MD, which work when directly accessed from browsers. Is this something you would consider fixing?

vorburger commented 1 year ago

I have sent the following to support@github.com, and will update this based on what they say:

They said: "We now require that new support requests be created using our Support website: https://support.github.com" 😺

https://support.github.com/ticket/personal/0/2336602 thus now created.

omarismail94 commented 1 year ago

thanks for looking into this! I do not have access to the ticket, but let us know what they respond with!

vorburger commented 1 year ago

do not have access to the ticket, but let us know what they respond with!

GitHub Support responded saying, quote: "Thank you for taking the time to perform such a thorough investigation into this problem! I have taken care of forwarding your report to our team for investigation. We will follow-up with you when there are any developments to share."

2231 from @omarismail94 removes the broken badge until GitHub fixes this problem (SGTM).

I'm closing this, as there is "nothing left that I can do" about this here; all good!