Remove content-length for notModified responses

[natebosch]

It is an error to include a non-zero content-length when there is no
body. In some places, especially those where we are implementing a
proxy, we were previously relying on behavior in shelf which would zero
out the content length when there is no body. After allowing a content
length without a body for HEAD requests we lost the safety for other
request types.

The errors that have surfaced since published are related to
Response.notModified which should never have a content-length, so
handling it there should retain most of the safety we had before. There
is still the possibility for problems in other response types which will
need to be handled at the usage site.

[kevmoo]

Nit: it's totally fine for a 304 to include a content-length – as long as it matches what WOULD be sent

[natebosch]

Nit: it's totally fine for a 304 to include a content-length – as long as it matches what WOULD be sent

Is that a bug in dart:io in that case?

[kevmoo]

That's what I'm thinking! Or the code implemented in google3

…

On Mon, May 10, 2021 at 3:14 PM Nate Bosch ***@***.***> wrote: Nit: it's totally fine for a 304 to include a content-length – as long as it matches what WOULD be sent Is that a bug in dart:io in that case? — You are receiving this because your review was requested. Reply to this email directly, view it on GitHub <#183 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAEFCTGDDQRD2DCADU4K2TTNBLFLANCNFSM44SLBO7Q> .

[natebosch]

From my reading of the spec including this header is either a "SHOULD NOT" or a "MUST NOT" depending on the request.

https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3.5

If the conditional GET used a strong cache validator (see section 13.3.3), the response SHOULD NOT include other entity-headers. Otherwise (i.e., the conditional GET used a weak validator), the response MUST NOT include other entity-headers; this prevents inconsistencies between cached entity-bodies and updated headers.

I think we mostly use strong cache validators, but given that we still "SHOULD NOT" send the header I'm not inclined to try to bake in support for it in shelf. If we want to file a bug against the SDK we could.

[mraleph]

FYI: dart-lang/sdk#45871

[kevmoo]

GREAT CATCH!

…

On Tue, May 11, 2021 at 12:21 AM Vyacheslav Egorov ***@***.***> wrote: FYI: dart-lang/sdk#45871 <dart-lang/sdk#45871> — You are receiving this because your review was requested. Reply to this email directly, view it on GitHub <#183 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAEFCVKOBBUQR4WQXT7PK3TNDLH3ANCNFSM44SLBO7Q> .