Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-3306

HTTP HEAD request returns status code 403, while GET returns 200

    XMLWordPrintable

Details

    • Bug
    • Resolution: Not an issue
    • Major
    • None
    • None
    • None
    • None

    Description

      For most Magnolia instances out in the wild, including the corporate website, sending a HTTP HEAD request triggers a 403 Forbidden response, but HTTP GET is just fine. See attached screenshot. (Hint: Day software gets it right, and navy.com works correctly too...)

      To reproduce what I did in the screenshot, enter in a terminal:

      $ nc somedomain 80
      HEAD / HTTP/1.1
      Host: somedomain
      
      

      ... (followed by an empty line to finish the header) and then comes the response from the server. Expected behaviour would be that the HEAD request gets the same response (minus content) as a GET request.

      This issue was brought to my attention today when Antti wanted to find the broken download link on http://www.magnolia-cms.com/home.html using
      http://validator.w3.org/checklink/, resulting in http://validator.w3.org/checklink/checklink?uri=http%3A%2F%2Fwww.magnolia-cms.com%2Fhome.html&hide_type=all&depth=&check=Check (lots of 403 errors). The link checker correctly uses HTTP HEAD requests instead of HTTP GET requests (the ones you normally do with your web browser when going anywhere).

      This is how HTTP HEAD should work: (quoting http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.4)

      The HEAD method is identical to GET except that the server MUST NOT return a message-body in the response. The metainformation contained in the HTTP headers in response to a HEAD request SHOULD be identical to the information sent in response to a GET request. This method can be used for obtaining metainformation about the entity implied by the request without transferring the entity-body itself. This method is often used for testing hypertext links for validity, accessibility, and recent modification.

      I have tested this locally with an admin instance as well on port 8080. It does not work either:

      ~ $ nc localhost 8080
      HEAD /magnolia-webapp-registration/.magnolia/pages/adminCentral.html HTTP/1.1
      Host: localhost:8080
      
      HTTP/1.1 403 Forbidden
      Server: Apache-Coyote/1.1
      X-Magnolia-Registration: Registered
      Content-Type: text/html;charset=UTF-8
      Content-Length: 964
      Date: Fri, 24 Sep 2010 14:23:23 GMT
      

      (A GET request gets me 401 Unauthorized, which is the correct response as I have to login first.)

      Checklists

        Acceptance criteria

        Attachments

          Activity

            People

              had Jan Haderka
              frabe Felix Rabe
              Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Checklists

                  Bug DoR
                  Task DoD