How should an HTTP Agent make decisions about using cached response when a request has the same path but different headers?
Take for example this HTTP request/response:
GET /resource HTTP/1.1
Host: example.org
X-Filter: foo=bar
HTTP/1.1 200 OK
Cache-Control: max-age=3600
Content-Type: application/json
Content-Length: 13
{"foo":"bar"}
Should the agent consider the response valid for a second request with a different X-Filter header? For example:
GET /resource HTTP/1.1
Host: example.org
X-Filter: foo=baz
then within an hour from the first request, should the agent request a fresh response since the request header differs, or should use the cached response from the first request, ignoring the header?
I'm asking this because I noticed that Google Chrome makes a new request, Microsoft Edge instead use the cached response.
You should use the cached version unless changed header appears in the list provided by the (optional) Vary response header.
For example, a response that contains
Vary: accept-encoding, accept-language
indicates that the origin server might have used the request's
Accept-Encoding and Accept-Language fields (or lack thereof) as
determining factors while choosing the content for this response.
Related
I'm creating a HTTP Web API where some of my resources will be cacheable. A cacheable resource will have two operations, GET & PUT. The GET will return response headers of Cache-Control: public,max-age=3600 & Etag: "2kuSN7rMzfGcB2DKt67EqDWQELA". The PUT will require the If-Match header which will contain the Etag value from a GET of the same resource. My goal is to have the browser cache invalidate a resource when I PUT to that resource. This works fine until I add the If-Match header to the PUT request. When the PUT request contains the If-Match header, subsequent GET requests will fetch from the cache which would be stale data. This is the behavior I've been experiencing with Chrome. Firefox doesn't behave like this, and works as I assume it should. Is this a bug in Chrome or am I misunderstanding some part of the HTTP spec?
Here are some example requests to show behavior:
//correctly fetchs from origin server (returns 200)
GET http://localhost/api/my-number/1
Response Headers
cache-control: public,max-age=3600
etag: "2kuSN7rMzfGcB2DKt67EqDWQELA"
Response Body
7
//correctly fetchs from disk cache (returns 200)
GET http://localhost/api/my-number/1
Response Headers
cache-control: public,max-age=3600
etag: "2kuSN7rMzfGcB2DKt67EqDWQELA"
Response Body
7
//correctly updates origin server (returns 200)
PUT http://localhost/api/my-number/1
Request Headers
if-match: "2kuSN7rMzfGcB2DKt67EqDWQELA"
Request Body
8
//incorrectly still fetches from disk cache (returns 200)
GET http://localhost/api/my-number/1
Response Headers
cache-control: public,max-age=3600
etag: "2kuSN7rMzfGcB2DKt67EqDWQELA"
Response Body
7
This is indeed incorrect behavior. RFC 7234 says:
A cache MUST invalidate the effective Request URI... as well as the URI(s) in the Location and Content-Location
response header fields (if present) when a non-error status code is
received in response to an unsafe request method.
Given that, the bug report you filed looks appropriate to me.
I'm currently working with Angular 5.1.2 and i'm trying to get objects from http requests.
In order to verify my code, I've hardcoded a JSON response and created a Python Anywhere's web service, here's what I did :
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=UTF-8
{"Computer":[{
"ip":"192.168.0.142",
"mac":"39-D7-98-9E-5A-DC",
"name":"PC-DE-JEAN-CLAUDE"
},
{
"ip":"192.168.0.50",
"mac":"4D-49-98-30-8A-F5",
"name":"LIVEBOX-684J"
}]}
However, why my Angular app is saying that "No 'Access-Control-Allow-Origin' header is present on the requested resource" ?
Thanks
It is related to CORS issue. It happens when server and client are running on different addresses. To make it run, server need to return Access-Control-Allow-Origin as a Key:Value pair in their header response.
Access-Control-Allow-Origin: *
Specifying value as * means that the content of the address can be accessed by any other address.
It's one of the layer in securing the Internet applications.
This is a server-side problem due to CORS to prevent XSS. In order to fix, make sure your server responds with the header Access-Control-Allow-Origin: * After verifying this fixes the problem, set this header to your website URL
I am testing Forge API, and I have been able to complete requests smoothly for most endpoints, except the GET Hubs - I kept getting a 415 Unsupported Media Type.
Strangely enough, after I remove the Content-Type header - which was the same header used for all the other end-points of Content-Type:application/json -
the request worked and returns a 200 with the correct data.
Is there something about content-type I am not familiar with?
Shouldn't the first request work?
Request 1 - Returns 415 for hubs endpoint: no data
GET https://developer.api.autodesk.com/project/v1/hubs HTTP/1.1
Host: developer.api.autodesk.com
Authorization: Bearer {{ACCESS_TOKEN}}
Content-Type: application/json
Cache-Control: no-cache
Request 2 - Returns 200: data ok
GET https://developer.api.autodesk.com/project/v1/hubs HTTP/1.1
Host: developer.api.autodesk.com
Authorization: Bearer {{ACCESS_TOKEN}}
Cache-Control: no-cache
The JSON API defines that the client MUST send Content-Type: application/vnd.api+json
Answering my own question based on the comments (thanks #chetan-ranpariya)
You don't need to pass a Content-type on GET requests
the API should ignore the header; issue has been reported to API team
I'm receiving invalid characters on try to receiving JSON by http protocol in C.
When I send
GET /<query> http/1.1\r\nHost:<host>\r\n\r\n
then the result displays as follow:
HTTP/1.0 200 OK
Cache-Control: private
Content-Type: application/json; charset=utf-8
Content-Encoding: gzip
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Credentials: false
X-Content-Type-Options: nosniff
Date: Sun, 07 Dec 2014 13:14:29 GMT
Content-Length: 11410
�
I don't know why I don't receiving JSON? However, in browser's address bar I type the same query & I received the json as well.
[UPDATE # 1]
I found it useful to work on built-in library, as the error is related to network byte compressions so I used Qt's library QNetworkManager specifically to done this job.
Please use a HTTP library or make yourself comfortable with the HTTP protocol and implement it properly.
Content-Encoding: gzip
At least this line means trouble for your simple parsing. But interestingly, based on your request the server should not sent this line if a non-compressed version is available. This means not only your code is buggy, but that the server might be buggy too (it actually assume that you understand any compressions because you did not say different).
GET / http/1.1\r\nHost:\r\n\r\n
And your request is wrong too. It must be HTTP/1.1 instead of http/1.1. And it must contain a proper host header.
Qt's QNetworkManager is best for this purpose, as it do all the intricate stuff itself & provide elegant interface to user.
Normally, one would use BatchHttpRequest to aggregate several requests, but what if I want to list files for two different users?
Nominally that requires an oauth2 token per-user. BatchHttpRequest either takes one http object (which handles the credentials) for the batch, or pulls it out of the first batched request encountered when .execute() is called.
Using oauth1 to sign each batched requests results in proper results (different feeds for each user). However, using oauth2 and manually constructing the payload results in identical feeds (matching the user in the first batched request):
POST /batch HTTP/1.1
Host: www.googleapis.com
Content-Type: multipart/mixed; boundary=blah
Content-Length: 572
accept-encoding: gzip, deflate
Cache-Control: no-cache
--blah
Content-Type: application/http
Content-Transfer-Encoding: binary
Content-ID: <b29c5de2-0db4-490b-b421-6a51b598bd22+1>
GET /drive/v2/changes HTTP/1.1
Authorization: Bearer ya29.UQAabvlG2hnRPyEAAADUm7vkDe_qg7L49R655IyxvgBnkN7_PEgE3IG7UnZ_ZEmJwUK_6fSV4kTHjNQIjTk
accept: application/json
--blah
Content-Type: application/http
Content-Transfer-Encoding: binary
Content-ID: <b29c5de2-0db4-490b-b421-6a51b598bd22+2>
GET /drive/v2/changes HTTP/1.1
Authorization: Bearer ya29.UQBu8f9W8S5E6RwAAAAPqCOiqoFW3QEFYkBvQGx36UVKNHeEhdZT8GPN-P74ng
accept: application/json
--blah
Since oauth1 works, it seems that this is at least theoretically possible, although I may be blocked by a google bug where the oauth2 token for the first request in the batch overrides any other authorizations included.
The google-provided client does not support this, but providing an Authorization header for each request will work. The example given should work assuming all of the authorization header values are correct.