-
-
Notifications
You must be signed in to change notification settings - Fork 749
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Initial establishment and closing of long-polling transport are missing Content-Type header #2312
Comments
@KatriHaapalinna It the server that decide the status code, not Atmosphere. Which server are you using and why you think we have an issue? |
The status code is secondary, I just meant to say that in the case of Content-Length:0, Content-Type can/should arguably be empty despite the code being a bit inaccurate. Response headers: Response content: Is there a reason for not including the Content-Type for this response? |
@KatriHaapalinna This is coming from Jetty (Atmosphere doesn't deal with that). |
@jfarcand Are you sure? This issue is present also, when I deploy an app to Tomcat, if that's what you mean. Why couldn't the Content-Type be added here: https://github.com/Atmosphere/atmosphere/blob/master/modules/runtime/src/main/java/org/atmosphere/runtime/AtmosphereFramework.java#L2229 Including Content-Type header is important for compliance with security policies (which increasingly many companies have). The Content-Type header SHOULD be defined for responses that have a payload body, if the type fo the content is known (which it is in this case), as stated in the Hypertext Transfer Protocol standards (RFC7231, HTTP/1.1 Semantics and Content, section 3.1.1.5). Later in the aforementioned section 3.1.1.5, it is explained that if Content-Type is not set, the server MAY assume the data is application/octet-stream or examine the data to determine the type. This is not desirable, because clients that do so risk drawing wrong conclusions, which could expose additional security risks (e.g. attacks based on MIME-type confusion; XSS). To sum up, Content-Type header is not strictly required, but very advisable for better security policy compliance, and there are really no reasons not to have it present in the response. |
@KatriHaapalinna Good point! Thanks for the explanation. Do you have the cycle to contribute a patch? |
Add Content-Type to first response (#2312 )
Fixes |
Cases where Content-Type header is not included:
The 2nd case has a 0-length response body so perhaps 'Content-Type' doesn't make much sense, but then the return code 204 (No Content) would probably be more idiomatic/accurate than 200, because 204 would indicate more clearly that the body is empty and justify the 'missing' Content-Type.
The text was updated successfully, but these errors were encountered: