sajumb
commented
5 months ago Hello @Rosen-Petrov, Thank you for bringing this issue to our attention. Especially for outlining the steps and scenarios so clearly. Your insights have brought to light the challenges your clients face with the inadvertent visibility of unpublished content, stemming from the interaction between Umbraco's Preview mode, the UmbracoPreview cookie, and Cloudflare's "Cache Everything" setting.
We aim to address this issue in a manner that ensures both the performance and security of content managed through Umbraco Cloud.
Thank you again for your detailed report.
Issue description
Hello,
This is a tricky one and is a huge problem for our client because it exposes content which is not published.
As part of performance optimizations we have enabled the "Cache Everything" option under the "CDN Caching and Optimization settings section". Recently after that we got a feedback that not published content gets visible on the site and after some troubleshooting we were able to reproduce the issue. Here are the steps:
I see that it is an edge case but it happens to us pretty often and I believe that some improvements should be done in the integration with Cloudflare so it doesn't cache when Umbraco is in Preview Mode.
This is actually an issue when you just use the default Dotnet OutputCache, as well, but there we have control to fix it by customizing the caching logic. I mention this because it might make sense to revisit the Preview functionality in Umbraco as a whole since it has this "weak" part where the "UmbracoPreview" cookie easily sticks and this causes issues with different HTML Output caching mechanisms.
For now, we made our clients to clear their cookies and use the default Umbraco Cloud URL for editing. But since this is not official recommendations or rule which Umbraco pushes so far, I decided to raise this ticket, so it gets addressed properly.
Kind regards Rosen