search

imgix / gatsby

A simple yet powerful integration between Gatsby and imgix
BSD 2-Clause "Simplified" License
30 stars 6 forks source link

`disableIxlibParam` doesn't work #228

Closed arsinclair closed 2 years ago

arsinclair commented 2 years ago
  1. The disableIxlibParam setting doesn't work. When it is not set (or set to false), the URLs generated look like this: https://domain.net/image.jpg?ixlib=gatsbySourceUrl-2.0.2. When it is set to true, the URLs look like this: https://domain.net/image.jpg?ixlib=js-3.5.1.

I expect that disableIxlibParam should disable any variation of ixlib param.

  1. Another question is why something that's claimed to be a diagnostic mechanism is enabled by default? Can we switch it off by default? Imagine that a security vulnerability is found in a specific version of a plugin. Exposing the version of the library in the URLs of every image can expedite identification of many vulnerable sites that use this specific version.

  2. The documentation (README.md) has some discrepancies: sometimes it says that do disable the ixlib param, one needs to set includeLibraryParam to false, other times it says that in order to disable it, disableIxlibParam should be set to true. None of this settings (and their combination) allows to disable the version of the library entirely.

Information:

atlawrie commented 2 years ago

Hello and thank you for bringing this to our attention. You’re right that disableIxlibParam isn’t working as intended; we’ve identified the cause of the issue internally and should be rolling out a fix sometime this upcoming week.

In the past, the library parameter has been useful for users who write in to our support channel. Having information on-hand like the library where the request originated from has allowed us to provide smoother support more quickly. The good news is that with the subsequent fix we are making, you should be able to globally disable the library parameter through the gatsby-config file [1 ][2 ].

In terms of the differences between disableIxlibParam and includeLibraryParam, this is mostly a difference of usage and scope. disableIxlibParam is used as a setting in gatsby-config.js, letting the user for instance disable the ixlib paramters by default, while includeLibraryParam is used on a function by function basis, letting the user override their global setting depending on their need. You’re absolutely right that our documentation is unclear on this point, and we’re planning on updating that alongside our fix.

arsinclair commented 2 years ago

It's good to know this is a bug. Do you have a time estimate when the fix will be ready?

atlawrie commented 2 years ago

Hi @arsinclair, we're still working on this. We don’t currently have an ETA for when we’ll be deploying a fix, but we’ll make sure update this thread when we do.

atlawrie commented 2 years ago

Hi @arsinclair, we've deployed our fix for this issue in 2.0.4. Thank you again for reporting this, and please don't hesitate to comment on this issue if we missed something and I'll be sure to re-open it.