[
http://jira.magnolia-cms.com/browse/MAGNOLIA-3306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Felix Rabe updated MAGNOLIA-3306:
---------------------------------
Description:
For most Magnolia instances out in the wild, including the corporate website,
*sending a HTTP HEAD request triggers a {{403 Forbidden}} response*, but HTTP
GET is just fine. See attached screenshot. (Hint: Day software gets it right,
and navy.com works correctly too...)
To reproduce what I did in the screenshot, enter in a terminal:
{code:none}
$ nc somedomain 80
HEAD / HTTP/1.1
Host: somedomain
{code}
... (followed by an empty line to finish the header) and then comes the
response from the server. *Expected behaviour* would be that the HEAD request
gets the same response (minus content) as a GET request.
This issue was brought to my attention today when Antti wanted to find the
broken download link on http://www.magnolia-cms.com/home.html using
http://validator.w3.org/checklink/, resulting in
http://validator.w3.org/checklink/checklink?uri=http%3A%2F%2Fwww.magnolia-cms.com%2Fhome.html&hide_type=all&depth=&check=Check
(lots of 403 errors). The link checker correctly uses HTTP HEAD requests
instead of HTTP GET requests (the ones you normally do with your web browser
when going anywhere).
*This is how HTTP HEAD should work:* (quoting
http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.4)
{quote}
The HEAD method is identical to GET except that the server MUST NOT return a
message-body in the response. The metainformation contained in the HTTP headers
in response to a HEAD request SHOULD be identical to the information sent in
response to a GET request. This method can be used for obtaining
metainformation about the entity implied by the request without transferring
the entity-body itself. This method is often used for testing hypertext links
for validity, accessibility, and recent modification.
{quote}
I have tested this locally with an admin instance as well on port 8080. It
does not work either:
{code:none}
~ $ nc localhost 8080
HEAD /magnolia-webapp-registration/.magnolia/pages/adminCentral.html HTTP/1.1
Host: localhost:8080
HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
X-Magnolia-Registration: Registered
Content-Type: text/html;charset=UTF-8
Content-Length: 964
Date: Fri, 24 Sep 2010 14:23:23 GMT
{code}
(A GET request gets me {{401 Unauthorized}}, which is the correct response as I
have to login first.)
was:
For most Magnolia instances out in the wild, including the corporate website,
*sending a HTTP HEAD request triggers a {{403 Forbidden}} response*, but HTTP
GET is just fine. See attached screenshot. (Hint: Day software gets it right,
and navy.com works correctly too...)
To reproduce what I did in the screenshot, enter in a terminal:
{code:none}
$ nc somedomain 80
HEAD / HTTP/1.1
Host: somedomain
{code}
... and then comes the response from the server. *Expected behaviour* would be
that the HEAD request gets the same response (minus content) as a GET request.
This issue was brought to my attention today when Antti wanted to find the
broken download link on http://www.magnolia-cms.com/home.html using
http://validator.w3.org/checklink/, resulting in
http://validator.w3.org/checklink/checklink?uri=http%3A%2F%2Fwww.magnolia-cms.com%2Fhome.html&hide_type=all&depth=&check=Check
(lots of 403 errors). The link checker correctly uses HTTP HEAD requests
instead of HTTP GET requests (the ones you normally do with your web browser
when going anywhere).
*This is how HTTP HEAD should work:* (quoting
http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.4)
{quote}
The HEAD method is identical to GET except that the server MUST NOT return a
message-body in the response. The metainformation contained in the HTTP headers
in response to a HEAD request SHOULD be identical to the information sent in
response to a GET request. This method can be used for obtaining
metainformation about the entity implied by the request without transferring
the entity-body itself. This method is often used for testing hypertext links
for validity, accessibility, and recent modification.
{quote}
I have tested this locally with an admin instance as well on port 8080. It
does not work either:
{code:none}
~ $ nc localhost 8080
HEAD /magnolia-webapp-registration/.magnolia/pages/adminCentral.html HTTP/1.1
Host: localhost:8080
HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
X-Magnolia-Registration: Registered
Content-Type: text/html;charset=UTF-8
Content-Length: 964
Date: Fri, 24 Sep 2010 14:23:23 GMT
{code}
(A GET request gets me {{401 Unauthorized}}, which is the correct response as I
have to login first.)
> HTTP HEAD request returns status code 403, while GET returns 200
> ----------------------------------------------------------------
>
> Key: MAGNOLIA-3306
> URL: http://jira.magnolia-cms.com/browse/MAGNOLIA-3306
> Project: Magnolia
> Issue Type: Bug
> Reporter: Felix Rabe
> Assignee: Boris Kraft
> Attachments: Screen shot 2010-09-24 at 3.10.49 PM.jpg
>
>
> For most Magnolia instances out in the wild, including the corporate website,
> *sending a HTTP HEAD request triggers a {{403 Forbidden}} response*, but HTTP
> GET is just fine. See attached screenshot. (Hint: Day software gets it
> right, and navy.com works correctly too...)
> To reproduce what I did in the screenshot, enter in a terminal:
> {code:none}
> $ nc somedomain 80
> HEAD / HTTP/1.1
> Host: somedomain
> {code}
> ... (followed by an empty line to finish the header) and then comes the
> response from the server. *Expected behaviour* would be that the HEAD
> request gets the same response (minus content) as a GET request.
> This issue was brought to my attention today when Antti wanted to find the
> broken download link on http://www.magnolia-cms.com/home.html using
> http://validator.w3.org/checklink/, resulting in
> http://validator.w3.org/checklink/checklink?uri=http%3A%2F%2Fwww.magnolia-cms.com%2Fhome.html&hide_type=all&depth=&check=Check
> (lots of 403 errors). The link checker correctly uses HTTP HEAD requests
> instead of HTTP GET requests (the ones you normally do with your web browser
> when going anywhere).
> *This is how HTTP HEAD should work:* (quoting
> http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.4)
> {quote}
> The HEAD method is identical to GET except that the server MUST NOT return a
> message-body in the response. The metainformation contained in the HTTP
> headers in response to a HEAD request SHOULD be identical to the information
> sent in response to a GET request. This method can be used for obtaining
> metainformation about the entity implied by the request without transferring
> the entity-body itself. This method is often used for testing hypertext links
> for validity, accessibility, and recent modification.
> {quote}
> I have tested this locally with an admin instance as well on port 8080. It
> does not work either:
> {code:none}
> ~ $ nc localhost 8080
> HEAD /magnolia-webapp-registration/.magnolia/pages/adminCentral.html HTTP/1.1
> Host: localhost:8080
> HTTP/1.1 403 Forbidden
> Server: Apache-Coyote/1.1
> X-Magnolia-Registration: Registered
> Content-Type: text/html;charset=UTF-8
> Content-Length: 964
> Date: Fri, 24 Sep 2010 14:23:23 GMT
> {code}
> (A GET request gets me {{401 Unauthorized}}, which is the correct response as
> I have to login first.)
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.magnolia-cms.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
----------------------------------------------------------------
For list details see
http://www.magnolia-cms.com/home/community/mailing-lists.html
To unsubscribe, E-mail to: <[email protected]>
----------------------------------------------------------------
