Problem/Motivation
It'd be nice if we had granularity for which query strings are allowed for specific routes rather than it being a whitelist. This ensures that certain URLs aren't invalidated when not necessary.
Steps to reproduce
1. Add the page
query parameter to the include list.
2. The page
query parameter affects pages which don't normally make use of paginations like nodes.
Proposed resolution
Provide UI to provide granulatity of the rules on a route by route basis.
Taking inspiration from
#1245482-27: URL variation DOS attack protection →
Additional details:
1. Provide a way for developers or site builders to annotate routes with a list of allowed query parameters (with optional regex for allowed values, e.g. page
only takes in digits)
2. Add a Routing listener service that will parse all the routes, gather these data, and store them in a KV system (remember, Drupal core has a builtin KV; don't forget default args like q
and page
)
3. Create an `http.middleware` tagged service coming in before the internal page cache, that will hit this KV and rewrite the inbound request accordingly, stripping unexpected args and ordering the others.
These can all be done as a submodule if the existing global behaviour is desired for your use cases, or an upgrade path can be provided to support the old global behaviour.
Remaining tasks
Provide new UI and update config schemas accordingly.
User interface changes
Provide UI for managing route specific query parameter rules.
API changes
TDB.