From 1bc589d45f8496c3e6ecaa6f2e2a83f65e8594a3 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Fri, 10 Feb 2023 03:56:20 -0500
Subject: [PATCH] drop HTTP/2 Push support since Chromium dropped it

This only improves performance for the initial page load by sending
resources that are almost always needed before the client receives the
preload headers and fetches them. It can degrade performance in some
edge cases such as clients with web fonts disabled or if the session
cookie is cleared without the cache being cleared. Clients can cancel
the push transfers once they start receiving them, but it's wasteful.

Safari and Firefox still support this feature but are likely to follow
the lead of Chromium and drop support for it. Few websites are going to
bother with it without Chromium support and usage is already dropping.
---
 nginx/nginx.conf            | 89 +------------------------------------
 nginx/snippets/preload.conf |  6 +--
 2 files changed, 3 insertions(+), 92 deletions(-)

diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index 3fd9d4e8..ad00fd68 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -89,37 +89,8 @@ http {
         /usage.html ", <{{path|/js/redirect.js}}>; rel=modulepreload; integrity={{integrity|/js/redirect.js}}";
     }
 
-    map $http_cookie $nopush {
-        ~__Host-push=1 1;
-        default 0;
-    }
-
-    map $nopush $push_cookie {
-        0 "__Host-push=1; HttpOnly; Secure; SameSite=Lax; Path=/";
-    }
-
-    map $nopush $push_stylesheet {
-        0 "{{path|/main.css}}";
-    }
-
-    map $nopush $push_font_regular {
-        0 /fonts/roboto-v29-regular-latin.woff2;
-    }
-
-    map $nopush $push_font_bold {
-        0 /fonts/roboto-v29-bold-latin.woff2;
-    }
-
-    map $nopush $push_mask_icon {
-        0 "{{path|/mask-icon.svg}}";
-    }
-
-    map $nopush $push_phone {
-        0 "{{path|/pixel-7-pro.svg}}";
-    }
-
-    map $nopush $push_redirect_js {
-        0 "{{path|/js/redirect.js}}";
+    map $http_cookie $clear_legacy_push_cookie {
+        ~__Host-push= "__Host-push=; HttpOnly; Secure; SameSite=Lax; Path=/; Max-Age=0";
     }
 
     server {
@@ -339,43 +310,6 @@ http {
             default_type application/trafficadvice+json;
         }
 
-        location = / {
-            include snippets/security-headers.conf;
-            add_header Cross-Origin-Resource-Policy "same-origin" always;
-            add_header Cache-Control "public, no-cache";
-            include snippets/preload.conf;
-            http2_push $push_phone;
-            http2_push $push_redirect_js;
-            try_files /index.html =404;
-        }
-
-        location = /faq {
-            include snippets/security-headers.conf;
-            add_header Cross-Origin-Resource-Policy "same-origin" always;
-            add_header Cache-Control "public, no-cache";
-            include snippets/preload.conf;
-            http2_push $push_redirect_js;
-            try_files $uri.html =404;
-        }
-
-        location = /install/ {
-            include snippets/security-headers.conf;
-            add_header Cross-Origin-Resource-Policy "same-origin" always;
-            add_header Cache-Control "public, no-cache";
-            include snippets/preload.conf;
-            http2_push $push_redirect_js;
-            try_files /install/index.html =404;
-        }
-
-        location = /install/cli {
-            include snippets/security-headers.conf;
-            add_header Cross-Origin-Resource-Policy "same-origin" always;
-            add_header Cache-Control "public, no-cache";
-            include snippets/preload.conf;
-            http2_push $push_redirect_js;
-            try_files $uri.html =404;
-        }
-
         location = /install/web {
             include snippets/security-headers-base.conf;
             add_header Content-Security-Policy "default-src 'none'; child-src 'self'; connect-src 'self' https://releases.grapheneos.org/; font-src 'self'; img-src 'self'; manifest-src 'self'; script-src 'self'; style-src 'self'; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'" always;
@@ -383,25 +317,6 @@ http {
             add_header Cross-Origin-Resource-Policy "same-origin" always;
             add_header Cache-Control "public, no-cache";
             include snippets/preload.conf;
-            http2_push $push_redirect_js;
-            try_files $uri.html =404;
-        }
-
-        location = /releases {
-            include snippets/security-headers.conf;
-            add_header Cross-Origin-Resource-Policy "same-origin" always;
-            add_header Cache-Control "public, no-cache";
-            include snippets/preload.conf;
-            http2_push $push_redirect_js;
-            try_files $uri.html =404;
-        }
-
-        location = /usage {
-            include snippets/security-headers.conf;
-            add_header Cross-Origin-Resource-Policy "same-origin" always;
-            add_header Cache-Control "public, no-cache";
-            include snippets/preload.conf;
-            http2_push $push_redirect_js;
             try_files $uri.html =404;
         }
 
diff --git a/nginx/snippets/preload.conf b/nginx/snippets/preload.conf
index 96db1dc0..1e187441 100644
--- a/nginx/snippets/preload.conf
+++ b/nginx/snippets/preload.conf
@@ -1,6 +1,2 @@
 add_header Link "<{{path|/main.css}}>; rel=preload; as=style; integrity={{integrity|/main.css}}, </fonts/roboto-v29-regular-latin.woff2>; rel=preload; as=font; crossorigin, </fonts/roboto-v29-bold-latin.woff2>; rel=preload; as=font; crossorigin, <{{path|/mask-icon.svg}}>; rel=preload; as=image$preload_resources_uri" always;
-add_header Set-Cookie $push_cookie always;
-http2_push $push_stylesheet;
-http2_push $push_font_regular;
-http2_push $push_font_bold;
-http2_push $push_mask_icon;
+add_header Set-Cookie $clear_legacy_push_cookie always;