HTTP HEAD request returns status code 403, while GET returns 200
----------------------------------------------------------------
Key: MAGNOLIA-3306
URL: http://jira.magnolia-cms.com/browse/MAGNOLIA-3306
Project: Magnolia
Issue Type: Bug
Reporter: Felix Rabe
Assignee: Boris Kraft
Attachments: Screen shot 2010-09-24 at 3.10.49 PM.jpg
For most Magnolia instances out in the wild, including the corporate website,
*sending a HTTP HEAD request triggers a {{403 Forbidden}} response*, but HTTP
GET is just fine. See attached screenshot. (Hint: Day software gets it right,
and navy.com works correctly too...)
To reproduce what I did in the screenshot, enter in a terminal:
{code:none}
$ nc somedomain 80
HEAD / HTTP/1.1
Host: somedomain
{code}
... and then comes the response from the server. *Expected behaviour* would be
that the HEAD request gets the same response (minus content) as a GET request.
This issue was brought to my attention today when Antti wanted to find the
broken download link on http://www.magnolia-cms.com/home.html using
http://validator.w3.org/checklink/, resulting in
http://validator.w3.org/checklink/checklink?uri=http%3A%2F%2Fwww.magnolia-cms.com%2Fhome.html&hide_type=all&depth=&check=Check
(lots of 403 errors). The link checker correctly uses HTTP HEAD requests
instead of HTTP GET requests (the ones you normally do with your web browser
when going anywhere).
*This is how HTTP HEAD should work:* (quoting
http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.4)
{quote}
The HEAD method is identical to GET except that the server MUST NOT return a
message-body in the response. The metainformation contained in the HTTP headers
in response to a HEAD request SHOULD be identical to the information sent in
response to a GET request. This method can be used for obtaining
metainformation about the entity implied by the request without transferring
the entity-body itself. This method is often used for testing hypertext links
for validity, accessibility, and recent modification.
{quote}
I have tested this locally with an admin instance as well on port 8080. It
does not work either:
{code:none}
~ $ nc localhost 8080
HEAD /magnolia-webapp-registration/.magnolia/pages/adminCentral.html HTTP/1.1
Host: localhost:8080
HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
X-Magnolia-Registration: Registered
Content-Type: text/html;charset=UTF-8
Content-Length: 964
Date: Fri, 24 Sep 2010 14:23:23 GMT
{code}
(A GET request gets me {{401 Unauthorized}}, which is the correct response as I
have to login first.)
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.magnolia-cms.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
----------------------------------------------------------------
For list details see
http://www.magnolia-cms.com/home/community/mailing-lists.html
To unsubscribe, E-mail to: <[email protected]>
----------------------------------------------------------------
