Get CORS working on 304s with Apache #1
Comments
|
OK, looks like it affects us; in the test-suites repo, run root@f18bb8c0de16:/var/www/html# cat test.php
<?php
http_response_code(304);
header('Access-Control-Allow-Origin: *');
header('ETag: "etag 2"');
header('some: otherheader');
header('Content-Type: text/plain');
?>Then in the tester container run: root@d12120b30b2f:/app# curl -ik https://server/test.php
HTTP/1.1 304 Not Modified
Date: Fri, 10 Jul 2020 08:24:19 GMT
Server: Apache/2.4.38 (Debian)
ETag: "etag 2"
root@d12120b30b2f:/app# As you see the headers (with exception of the ETag header) get stripped (presumably by Apache) due to the 304 status. |
|
If you remove the root@d12120b30b2f:/app# curl -ik https://server/test200.php
HTTP/1.1 200 OK
Date: Fri, 10 Jul 2020 08:28:12 GMT
Server: Apache/2.4.38 (Debian)
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: none
X-XSS-Protection: 1; mode=block
X-Powered-By: PHP/7.4.7
Access-Control-Allow-Origin: *
ETag: "etag 2"
some: otherheader
Content-Length: 0
Content-Type: text/plain;charset=UTF-8
root@d12120b30b2f:/app# |
|
Found this bug report (by Mark Nottingham!) from 2017: And this comment (by Roy Fielding!) from 2018: See also httpwg/http-core#165. And this patch was posted 9 days ago, looks like we need that: |
|
I think this issue can be closed, as things seem to be resolved on the Apache side of things (and we have not received any complaints or noticed anything ourselves. @michielbdejong Can you concur / dispute? |
|
CORS is now handled in a Middleware instead of in apache configuration, so this should no longer be an issue. |
Continuation of https://github.com/pdsinterop/project-admin/blob/HEAD/research/risks.md#5-apache-304-cors-support.
The text was updated successfully, but these errors were encountered: