Support conditional compression

[Tratcher]

Split from #2458 (comment)

Background:
Response compression is disabled by default for HTTPS requests due to BEAST and CRIME attacks. These attacks are primarily a concern for dynamic content that the user can influence. Since this is not the case for static assets we should have some way for those assets to opt into compression. This is especially true for the StaticFiles middleware, and transitively Blazor apps.

Proposal:
@DamianEdwards: I think the eventual fix here would be to introduce a new request feature that the static file middleware can set when serving files that indicates the response is from static content, thus allowing the compression middleware to safely compress responses only when the feature indicates it was static in nature. Of course it's still possible for another middleware in-between to change the content and introduce issues again. If we care enough about that we could have the feature actually poison the response headers and body (e.g. via wrapping) such that they can't be modified. Also, technically it isn't about what's static but what contains user manipulable content, so the feature should likely be built around that premise instead, allowing any response (including dynamic responses from things like MVC actions) to declare that they're free from user manipulation and thus safe to compress over HTTPS.

Another approach we can take is to use endpoint metadata (if StaticFiles is going to be converted).

[muratg]

cc @danroth27 @shirhatti

[danroth27]

@muratg Can we get this one assigned and put in a milestone?

[muratg]

@Tratcher what's the cost of this?

[Tratcher]

Small. There's a little bit of design to work out but the implementation is easy enough. E.g. how does the feature interact with the existing response compression settings like EnableForHttps, MimeTypes, and ExcludedMimeTypes?

I think the feature will have a single enum field with levels like:

• No compression
• Use the existing ResponseCompressionOptions
• Override only EnableForHttps, not MimeTypes and ExcludedMimeTypes. This is what StaticFiles wants.
• Override only MimeTypes and ExcludedMimeTypes, not EnableForHttps.
• Override all ResponseCompressionOptions, but not the Accept-Encoding header.
• Override everything and compress. What compression scheme would you pick for this? The first one?

Not sure we have a scenario for all of these yet (or good names for them), but using an enum gives us some future proofing. We need at least the first 3.

Static files would need a new option to opt-in/out of this behavior. Use the same enum? Make sure it can be overridden in the StaticFiles OnPrepareResponse event.

[shirhatti]

cc @JunTaoLuo