Comments (10)
Seems to be caused by the HEAD method.
Reproduce with,
curl -I https://check2.torproject.org
from check.
Not sure what else to do with Head requests, since the content does exist, would it make sense to 404 a request that wasn't from a Tor IP, while giving 200 to someone who is, just for HEAD requests? I'm not so sure.
I'd argue to just not support it, or if you do chose to support it then you might need to look into some more useful status codes for the situation.
from check.
@Ryman I decided to fix this another way. I think a response to a HEAD request is supposed to look the same as a
response to a GET request, just without a body, so I'd rather not disallow it.
from check.
In these cases though, the response will always be 200 for HEAD requests then, so it doesn't really mean much (as the handler has been found, and we're not doing any content searching in the handlers one you pass the asset handling lines Phttp.Serve...
). HEAD is after all more generally used for checking cache times or to see if the server is working. HEAD doesn't actually make any sense for this service as both those handlers are 'content found' so they are 200 always regardless of isTor or not?
I'd suggest just quick returning 200s for HEAD instead of special error handling (which will always error for HEAD requests, so may aswell just catch it before doing work)
Regarding the more general problem of what happens if we write to the responsewriter (which sets status 200) and then there's an error in the template. This probably shouldn't happen unless there's an error in the template which will be caught by our initial compiles, or if there's network issues and the connection is lost which won't matter as the client won't get a response then anyway. Perhaps your buffering idea into a bytebuffer or something would be good for that. I think the HEAD issue is quite unique in that regard with it's BodyNotAllowed error.
from check.
@Ryman These are good points. What do you think of 8652915?
from check.
Seems to address the issues, perhaps add a Last-Modified header which is based on Exits.UpdateTime (incase anyone is actually using the HEAD requests to check when they need to recheck their data)?
from check.
Hmm, I like that for the output of the bulk exit list but the other content is dynamic based on IP so although the data hasn't modified, the response will. In fact, we should maybe add Cache-Control: no-cache.
from check.
Yes, good call!
from check.
Sorry, I jumped the gun on that, I agree on Cache-Control but not with just having a Last-Modified on bulk exit (if one is given). Remember that the HEAD won't get the answer of if it is Tor or not, so all Last-Modified will tell it is when the situation last changed, which will still be correct even if it's based on IP, the last time the exitlist was updated it the last time the answers changed.
from check.
From http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html,
The HEAD method is identical to GET except that the server MUST NOT return a message-body in the response. The metainformation contained in the HTTP headers in response to a HEAD request SHOULD be identical to the information sent in response to a GET request. This method can be used for obtaining metainformation about the entity implied by the request without transferring the entity-body itself. This method is often used for testing hypertext links for validity, accessibility, and recent modification.
The response to a HEAD request MAY be cacheable in the sense that the information contained in the response MAY be used to update a previously cached entity from that resource. If the new field values indicate that the cached entity differs from the current entity (as would be indicated by a change in Content-Length, Content-MD5, ETag or Last-Modified), then the cache MUST treat the cache entry as stale.
I highlighted my concerns. I guess since the information should only be used to bust a cache which hopefully won't exist in the first place, it'll be alright.
Ok, let's go for it.
from check.
Related Issues (17)
- "This browser" HOT 1
- Documentation HOT 2
- What to do about false positives that are found? HOT 6
- Bulk should have a port option in the form HOT 1
- Link to Atlas HOT 3
- Init.d script HOT 1
- More stuff HOT 8
- False negatives HOT 26
- make descriptors is downloading too much data HOT 6
- API HOT 3
- rsync
- gzip vs no gzip HOT 2
- Translations HOT 12
- Tests HOT 3
- Project requires exit-data or retrieval information HOT 3
- Extending B) from https://trac.torproject.org/projects/tor/ticket/9204 HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from check.