Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTTP 304 being returned when Etag doesn't match #202

Closed
edmorley opened this issue Nov 12, 2018 · 0 comments
Closed

HTTP 304 being returned when Etag doesn't match #202

edmorley opened this issue Nov 12, 2018 · 0 comments

Comments

@edmorley
Copy link
Contributor

@edmorley edmorley commented Nov 12, 2018

Hi!

Currently WhiteNoise:

  • includes both an Etag and Last-Modified header on all responses
  • checks incoming requests to see if they specified a If-None-Match (used for Etag) or If-Modified-Since header, to determine whether to return an HTTP 304 response

However the current implementation falls back to If-Modified-Since even if there was a non-matching If-None-Match, rather than returning false:

def is_not_modified(self, request_headers):
if self.etag == request_headers.get('HTTP_IF_NONE_MATCH'):
return True
try:
last_requested = request_headers['HTTP_IF_MODIFIED_SINCE']
except KeyError:
return False
return parsedate(last_requested) >= self.last_modified

This is problematic since:

  • browsers (at least Firefox and Chrome, haven't checked the rest) always send both sets of headers
  • If-Modified-Since is unreliable in the case of deployment rollbacks (since by design the comparison is greater than or equal to modified time, rather than just equal to)

Demo:

curl -I https://treeherder.mozilla.org/ \
  -H 'If-None-Match: "this-will-not-match"' \
  -H 'If-Modified-Since: Thu, 25 Oct 2099 16:00:44 GMT'

Currently this returns HTTP 304 even though it has a non-matching If-None-Match header value.

This caused frontend breakage after a rollback we performed today, which persisted until users force-refreshed:


screenshot_2018-11-12 12 autoland

edmorley added a commit to edmorley/whitenoise that referenced this issue Nov 12, 2018
Previously if the ETag specified in the `If-None-Match` header
differed from the file's ETag, but the last modified time in the
`If-Modified-Since` header was newer than the file modified time,
then an HTTP 304 would be returned rather than the expected HTTP 200.

This case can occur when a deployment is rolled back, and User Agents
make a request with the reverted content's ETag and newer last
modified time. (Browsers typically send both headers.)

Fixes evansd#202.
@evansd evansd closed this in #203 Nov 12, 2018
bors bot added a commit to mozilla/normandy that referenced this issue Nov 19, 2018
Merge #1625
1625: Scheduled weekly dependency update for week 46 r=mythmon a=pyup-bot






### Update [botocore](https://pypi.org/project/botocore) from **1.12.42** to **1.12.47**.


<details>
  <summary>Changelog</summary>
  
  
   ### 1.12.47
   ```
   =======

* api-change:``ssm``: Update ssm client to latest version
* api-change:``comprehend``: Update comprehend client to latest version
* api-change:``workspaces``: Update workspaces client to latest version
* api-change:``ce``: Update ce client to latest version
* api-change:``ecs``: Update ecs client to latest version
   ```
   
  
  
   ### 1.12.46
   ```
   =======

* api-change:``s3``: Update s3 client to latest version
* api-change:``sms-voice``: Update sms-voice client to latest version
* api-change:``redshift``: Update redshift client to latest version
* api-change:``rds``: Update rds client to latest version
* api-change:``dms``: Update dms client to latest version
* api-change:``codebuild``: Update codebuild client to latest version
* api-change:``s3control``: Update s3control client to latest version
* api-change:``directconnect``: Update directconnect client to latest version
* api-change:``ram``: Update ram client to latest version
* api-change:``pinpoint``: Update pinpoint client to latest version
* api-change:``route53resolver``: Update route53resolver client to latest version
* api-change:``comprehend``: Update comprehend client to latest version
* api-change:``transcribe``: Update transcribe client to latest version
* api-change:``ecs``: Update ecs client to latest version
* api-change:``iam``: Update iam client to latest version
   ```
   
  
  
   ### 1.12.45
   ```
   =======

* api-change:``resource-groups``: Update resource-groups client to latest version
* api-change:``autoscaling``: Update autoscaling client to latest version
* api-change:``mediatailor``: Update mediatailor client to latest version
* api-change:``sns``: Update sns client to latest version
* api-change:``sagemaker``: Update sagemaker client to latest version
* api-change:``servicecatalog``: Update servicecatalog client to latest version
* api-change:``ec2``: Update ec2 client to latest version
   ```
   
  
  
   ### 1.12.44
   ```
   =======

* api-change:``chime``: Update chime client to latest version
* api-change:``budgets``: Update budgets client to latest version
* api-change:``redshift``: Update redshift client to latest version
   ```
   
  
  
   ### 1.12.43
   ```
   =======

* api-change:``polly``: Update polly client to latest version
* api-change:``batch``: Update batch client to latest version
* api-change:``firehose``: Update firehose client to latest version
* api-change:``cloudformation``: Update cloudformation client to latest version
* api-change:``budgets``: Update budgets client to latest version
* api-change:``codepipeline``: Update codepipeline client to latest version
* api-change:``rds``: Update rds client to latest version
   ```
   
  
</details>


 

<details>
  <summary>Links</summary>
  
  - PyPI: https://pypi.org/project/botocore
  - Changelog: https://pyup.io/changelogs/botocore/
  - Repo: https://github.com/boto/botocore
</details>





### Update [Faker](https://pypi.org/project/Faker) from **0.9.2** to **1.0.0**.


<details>
  <summary>Changelog</summary>
  
  
   ### 1.0.0
   ```
   * 2 major enhancements
    * Moved all formats to locale files
    * Stopped interfering with I18n&#39;s global settings for fallbacks
* 3 minor bug fixes:
    * Ruby 1.9.2 fixes [eMxyzptlk]
    * UTF8 fixes [maxmiliano]
    * Updated IPv4 generator to return valid addresses [Sylvain Desbureaux]
* Many minor enhancements:
    * Added bork locale for bork-ified lorem [johnbentcope]
    * Added IPv6 address generator [jc00ke]
    * Removed deprecation warnings for Arrayrand [chrismarshall]
    * Added German translation and I18n improvments [Matthias Kühnert]
    * Added Dutch translation [moretea]
    * Added Lat/Long generator [Andy Callaghan]
    * Added buzzword-laden title generator [supercleanse]
    * Added optional extended wordlist for lorem [chriskottom]
    * Updated German translation [Jan Schwenzien]
    * Locale improvements [suweller]
    * Added limit to lorem generator [darrenterhune]
    * Added Brazilian Portuguese translation [maxmiliano]
    * Added Australian translation [madeindata]
    * Added Canadian translation [igbanam]
    * Added Norwegian translation [kytrinyx]
    * Lots of translation-related cleanup [kytrinyx]
   ```
   
  
  
   ### 0.9.5
   ```
   * 1 minor bug fix:
    * Fixed YAML [Aaron Patterson]
* 3 minor enhancements:
    * Added default rake task to run all tests [Aaron Patterson]
    * Removed shuffle method [Aaron Patterson]
    * Use psych if present [Aaron Patterson]
   ```
   
  
  
   ### 0.9.4
   ```
   * 1 minor bug fix:
    * Stopped getting in the way of Rails&#39; late locale loading
   ```
   
  
  
   ### 0.9.3
   ```
   * 1 minor enhancement:
    * Added a faker namespace for translations
   ```
   
  
</details>


 

<details>
  <summary>Links</summary>
  
  - PyPI: https://pypi.org/project/faker
  - Changelog: https://pyup.io/changelogs/faker/
  - Repo: https://github.com/joke2k/faker
</details>





### Update [setuptools](https://pypi.org/project/setuptools) from **40.5.0** to **40.6.2**.


<details>
  <summary>Changelog</summary>
  
  
   ### 40.6.2
   ```
   -------

* 1592: Fix invalid dependency on external six module (instead of vendored version).
   ```
   
  
  
   ### 40.6.1
   ```
   -------

* 1590: Fixed regression where packages without ``author`` or ``author_email`` fields generated malformed package metadata.
   ```
   
  
  
   ### 40.6.0
   ```
   -------

* 1541: Officially deprecated the ``requires`` parameter in ``setup()``.
* 1519: In ``pkg_resources.normalize_path``, additional path normalization is now performed to ensure path values to a directory is always the same, preventing false positives when checking scripts have a consistent prefix to set up on Windows.
* 1545: Changed the warning class of all deprecation warnings; deprecation warning classes are no longer derived from ``DeprecationWarning`` and are thus visible by default.
* 1554: ``build_meta.build_sdist`` now includes ``setup.py`` in source distributions by default.
* 1576: Started monkey-patching ``get_metadata_version`` and ``read_pkg_file`` onto ``distutils.DistributionMetadata`` to retain the correct version on the ``PKG-INFO`` file in the (deprecated) ``upload`` command.
* 1533: Restricted the ``recursive-include setuptools/_vendor`` to contain only .py and .txt files.
* 1395: Changed Pyrex references to Cython in the documentation.
* 1456: Documented that the ``rpmbuild`` packages is required for the ``bdist_rpm`` command.
* 1537: Documented how to use ``setup.cfg`` for ``src/ layouts``
* 1539: Added minimum version column in ``setup.cfg`` metadata table.
* 1552: Fixed a minor typo in the python 2/3 compatibility documentation.
* 1553: Updated installation instructions to point to ``pip install`` instead of ``ez_setup.py``.
* 1560: Updated ``setuptools`` distribution documentation to remove some outdated information.
* 1564: Documented ``setup.cfg`` minimum version for version and project_urls.
* 1572: Added the ``concurrent.futures`` backport ``futures`` to the Python 2.7 test suite requirements.
   ```
   
  
</details>


 

<details>
  <summary>Links</summary>
  
  - PyPI: https://pypi.org/project/setuptools
  - Changelog: https://pyup.io/changelogs/setuptools/
  - Repo: https://github.com/pypa/setuptools
</details>





### Update [google-auth](https://pypi.org/project/google-auth) from **1.6.0** to **1.6.1**.


<details>
  <summary>Changelog</summary>
  
  
   ### 1.6.1
   ```
   ------

11-12-2018 10:10 PST

Implementation Changes
++++++++++++++++++++++

- Automatically refresh impersonated credentials (304)
   ```
   
  
</details>


 

<details>
  <summary>Links</summary>
  
  - PyPI: https://pypi.org/project/google-auth
  - Changelog: https://pyup.io/changelogs/google-auth/
  - Repo: https://github.com/GoogleCloudPlatform/google-auth-library-python
</details>





### Update [boto3](https://pypi.org/project/boto3) from **1.9.42** to **1.9.47**.


<details>
  <summary>Changelog</summary>
  
  
   ### 1.9.47
   ```
   ======

* api-change:``ssm``: [``botocore``] Update ssm client to latest version
* api-change:``comprehend``: [``botocore``] Update comprehend client to latest version
* api-change:``workspaces``: [``botocore``] Update workspaces client to latest version
* api-change:``ce``: [``botocore``] Update ce client to latest version
* api-change:``ecs``: [``botocore``] Update ecs client to latest version
   ```
   
  
  
   ### 1.9.46
   ```
   ======

* api-change:``s3``: [``botocore``] Update s3 client to latest version
* api-change:``sms-voice``: [``botocore``] Update sms-voice client to latest version
* api-change:``redshift``: [``botocore``] Update redshift client to latest version
* api-change:``rds``: [``botocore``] Update rds client to latest version
* api-change:``dms``: [``botocore``] Update dms client to latest version
* api-change:``codebuild``: [``botocore``] Update codebuild client to latest version
* api-change:``s3control``: [``botocore``] Update s3control client to latest version
* api-change:``directconnect``: [``botocore``] Update directconnect client to latest version
* api-change:``ram``: [``botocore``] Update ram client to latest version
* api-change:``pinpoint``: [``botocore``] Update pinpoint client to latest version
* api-change:``route53resolver``: [``botocore``] Update route53resolver client to latest version
* api-change:``comprehend``: [``botocore``] Update comprehend client to latest version
* api-change:``transcribe``: [``botocore``] Update transcribe client to latest version
* api-change:``ecs``: [``botocore``] Update ecs client to latest version
* api-change:``iam``: [``botocore``] Update iam client to latest version
   ```
   
  
  
   ### 1.9.45
   ```
   ======

* api-change:``resource-groups``: [``botocore``] Update resource-groups client to latest version
* api-change:``autoscaling``: [``botocore``] Update autoscaling client to latest version
* api-change:``mediatailor``: [``botocore``] Update mediatailor client to latest version
* api-change:``sns``: [``botocore``] Update sns client to latest version
* api-change:``sagemaker``: [``botocore``] Update sagemaker client to latest version
* api-change:``servicecatalog``: [``botocore``] Update servicecatalog client to latest version
* api-change:``ec2``: [``botocore``] Update ec2 client to latest version
   ```
   
  
  
   ### 1.9.44
   ```
   ======

* api-change:``chime``: [``botocore``] Update chime client to latest version
* api-change:``budgets``: [``botocore``] Update budgets client to latest version
* api-change:``redshift``: [``botocore``] Update redshift client to latest version
   ```
   
  
  
   ### 1.9.43
   ```
   ======

* api-change:``polly``: [``botocore``] Update polly client to latest version
* api-change:``batch``: [``botocore``] Update batch client to latest version
* api-change:``firehose``: [``botocore``] Update firehose client to latest version
* api-change:``cloudformation``: [``botocore``] Update cloudformation client to latest version
* api-change:``budgets``: [``botocore``] Update budgets client to latest version
* api-change:``codepipeline``: [``botocore``] Update codepipeline client to latest version
* api-change:``rds``: [``botocore``] Update rds client to latest version
   ```
   
  
</details>


 

<details>
  <summary>Links</summary>
  
  - PyPI: https://pypi.org/project/boto3
  - Changelog: https://pyup.io/changelogs/boto3/
  - Repo: https://github.com/boto/boto3
</details>





### Update [newrelic](https://pypi.org/project/newrelic) from **4.4.1.104** to **4.6.0.106**.


<details>
  <summary>Changelog</summary>
  
  
   ### 4.6.0.106
   ```
   This release of the Python agent includes changes to the agent to enable monitoring of Lambda functions, improves the built-in Sanic instrumentation, and includes various bug fixes.

The agent can be installed using easy_install/pip/distribute via the Python Package Index or can be downloaded directly from the New Relic download site.

Features


Monitoring of Lambda functions

This release includes changes to the agent to enable monitoring of Lambda functions. If you are interested in learning more or previewing New Relic Lambda monitoring please email lambda_previewnewrelic.com.
Improve naming of Sanic HTTPMethodView view handlers

Sanic views that were defined using the HTTPMethodView class were previously all named HTTPMethodView.as_view..view regardless of the actual class in use. The agent will now name transactions after the actual view handler class.


Bug Fixes


Fix ignored error reporting in CherryPy instrumention

When missing query parameters, unexpected query parameters, unexpected positional arguments, or duplicate arguments were present in the CherryPy framework, a TypeError exception was recorded even when an ignored response status code (such as a 404) was generated. An error is no longer recorded when it results in the generation of an ignored status code.
Excluding request.uri from transaction trace attributes hides it in the UI

When request.uri is added to either attributes.exclude or transaction_tracer.attributes.exclude, the value will now no longer appear in the APM UI for transaction traces.
Ability to disable sending request.uri as part of error traces

Error traces will now respect excluding request.uri when added to the attributes.exclude list in the newrelic.ini configuration file.
Fix tracing of functions returning generators

When tracing generators whose parent traces have ended an error was seen in the logs &quot;Transaction ended but current_node is not Sentinel.&quot; This has now been fixed.
   ```
   
  
</details>


 

<details>
  <summary>Links</summary>
  
  - PyPI: https://pypi.org/project/newrelic
  - Changelog: https://pyup.io/changelogs/newrelic/
  - Homepage: http://newrelic.com/docs/python/new-relic-for-python
</details>





### Update [pytest-django](https://pypi.org/project/pytest-django) from **3.4.3** to **3.4.4**.


<details>
  <summary>Changelog</summary>
  
  
   ### 3.4.4
   ```
   ------------------

Bugfixes
^^^^^^^^

* Refine the django.conf module check to see if the settings really are
  configured (668).
* Avoid crash after OSError during Django path detection (664).

Features
^^^^^^^^

* Add parameter info to fixture assert_num_queries to display additional message on failure (663).

Docs
^^^^

* Improve doc for django_assert_num_queries/django_assert_max_num_queries.
* Add warning about sqlite specific snippet + fix typos (666).

Misc
^^^^

* MANIFEST.in: include tests for downstream distros (653).
* Ensure that the LICENSE file is included in wheels (665).
* Run black on source.
   ```
   
  
</details>


 

<details>
  <summary>Links</summary>
  
  - PyPI: https://pypi.org/project/pytest-django
  - Changelog: https://pyup.io/changelogs/pytest-django/
  - Docs: https://pytest-django.readthedocs.io/
</details>





### Update [pytest](https://pypi.org/project/pytest) from **3.10.1** to **4.0.0**.


<details>
  <summary>Changelog</summary>
  
  
   ### 4.0.0
   ```
   =========================

Removals
--------

- `3737 &lt;https://github.com/pytest-dev/pytest/issues/3737&gt;`_: **RemovedInPytest4Warnings are now errors by default.**

  Following our plan to remove deprecated features with as little disruption as
  possible, all warnings of type ``RemovedInPytest4Warnings`` now generate errors
  instead of warning messages.

  **The affected features will be effectively removed in pytest 4.1**, so please consult the
  `Deprecations and Removals &lt;https://docs.pytest.org/en/latest/deprecations.html&gt;`__
  section in the docs for directions on how to update existing code.

  In the pytest ``4.0.X`` series, it is possible to change the errors back into warnings as a stop
  gap measure by adding this to your ``pytest.ini`` file:

  .. code-block:: ini

      [pytest]
      filterwarnings =
          ignore::pytest.RemovedInPytest4Warning

  But this will stop working when pytest ``4.1`` is released.

  **If you have concerns** about the removal of a specific feature, please add a
  comment to `4348 &lt;https://github.com/pytest-dev/pytest/issues/4348&gt;`__.


- `4358 &lt;https://github.com/pytest-dev/pytest/issues/4358&gt;`_: Remove the ``::()`` notation to denote a test class instance in node ids.

  Previously, node ids that contain test instances would use ``::()`` to denote the instance like this::

      test_foo.py::Test::()::test_bar

  The extra ``::()`` was puzzling to most users and has been removed, so that the test id becomes now::

      test_foo.py::Test::test_bar

  This change could not accompany a deprecation period as is usual when user-facing functionality changes because
  it was not really possible to detect when the functionality was being used explicitly.

  The extra ``::()`` might have been removed in some places internally already,
  which then led to confusion in places where it was expected, e.g. with
  ``--deselect`` (`4127 &lt;https://github.com/pytest-dev/pytest/issues/4127&gt;`_).

  Test class instances are also not listed with ``--collect-only`` anymore.



Features
--------

- `4270 &lt;https://github.com/pytest-dev/pytest/issues/4270&gt;`_: The ``cache_dir`` option uses ``$TOX_ENV_DIR`` as prefix (if set in the environment).

  This uses a different cache per tox environment by default.



Bug Fixes
---------

- `3554 &lt;https://github.com/pytest-dev/pytest/issues/3554&gt;`_: Fix ``CallInfo.__repr__`` for when the call is not finished yet.
   ```
   
  
</details>


 

<details>
  <summary>Links</summary>
  
  - PyPI: https://pypi.org/project/pytest
  - Changelog: https://pyup.io/changelogs/pytest/
  - Homepage: https://docs.pytest.org/en/latest/
</details>





### Update [whitenoise](https://pypi.org/project/whitenoise) from **4.1** to **4.1.1**.


<details>
  <summary>Changelog</summary>
  
  
   ### 4.1.1
   ```
   ------

 * Fix `bug &lt;https://github.com/evansd/whitenoise/issues/202&gt;`_ in ETag
   handling (thanks `edmorley &lt;https://github.com/edmorley&gt;`_).
 * Add .woff2 to the list of file extensions that don&#39;t require compression
   (thanks `jamesbeith &lt;https://github.com/jamesbeith&gt;`_).
   ```
   
  
</details>


 

<details>
  <summary>Links</summary>
  
  - PyPI: https://pypi.org/project/whitenoise
  - Changelog: https://pyup.io/changelogs/whitenoise/
  - Homepage: http://whitenoise.evans.io
</details>







Co-authored-by: pyup-bot <github-bot@pyup.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
You can’t perform that action at this time.