You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2011/05/18 21:40:42 UTC

DO NOT REPLY [Bug 51223] New: 304 HTTP Not Modified strips out CORS headers

https://issues.apache.org/bugzilla/show_bug.cgi?id=51223

             Bug #: 51223
           Summary: 304 HTTP Not Modified strips out CORS headers
           Product: Apache httpd-2
           Version: 2.2.14
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: arthur@inkling.com
    Classification: Unclassified


Created attachment 27027
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=27027
Patch for the ubuntu package

Per the RFC, HTTP Not Modified should not include entity headers "Section
10.3.5: the response SHOULD NOT include other entity-headers"

However, the Cross-Origin-Resource-Sharing spec (http://www.w3.org/TR/cors/)
defines a few headers that are not entity headers and should therefore be
allowed in the 304 response:
"Access-Control-Allow-Origin",
"Access-Control-Allow-Credentials",
"Access-Control-Allow-Methods",
"Access-Control-Allow-Headers",
"Access-Control-Max-Age"

I understand that CORS is currently only a draft but it currently prevents any
web application from properly adopting this new standard. Indeed, a client
making a CORS request will not see the response if it is an Http Not Modified
304. The browser will block it due to the missing CORS headers.

Patch attached.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 51223] 304 HTTP Not Modified strips out CORS headers

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=51223

Christophe JAILLET <ch...@wanadoo.fr> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |PatchAvailable

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 51223] 304 HTTP Not Modified strips out CORS headers

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=51223

--- Comment #1 from Mark Nottingham <mn...@mnot.net> ---
CORS doesn't require those headers on a 304, and indeed browsers work without
them present on it. This is because many 304s are generated from intermediary
caches that can't be updated to know about CORS.

Recommend INVALID.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 51223] 304 HTTP Not Modified strips out CORS headers

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=51223

--- Comment #3 from Mark Nottingham <mn...@mnot.net> ---
Full test here:
  https://github.com/w3c/web-platform-tests/pull/1400

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 51223] 304 HTTP Not Modified strips out CORS headers

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=51223

Mark Nottingham <mn...@mnot.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mnot@mnot.net

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 51223] 304 HTTP Not Modified strips out CORS headers

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=51223

webdev <we...@blizzard.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |webdev@blizzard.com

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 51223] 304 HTTP Not Modified strips out CORS headers

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=51223

Peter Newman <wi...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |wizarth@gmail.com

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 51223] 304 HTTP Not Modified strips out CORS headers

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=51223

--- Comment #2 from Michiel de Jong <mi...@unhosted.org> ---
Mark Nottingham:
> browsers work without them present on it

Maybe I misunderstood your point, but I was not able to reproduce that finding.

My steps:

* Run this node script on test.com:

````js
require('http').createServer(function(req, res) {
  res.writeHeader(304);
  res.end();
}).listen(8080);
````

* Visit http://example.com/ and paste this into the console:

````js
xhr = new XMLHttpRequest();
xhr.open('GET', 'http://test.com:8080/', true);
xhr.send();
````

Firefox on Ubuntu reports:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the
remote resource at http://test.com:8080/. This can be fixed by moving the
resource to the same domain or enabling CORS.

Chromium on Ubuntu reports:
XMLHttpRequest cannot load http://test.com:8080/. No
'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://example.com' is therefore not allowed access.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org