HTTP 304 being returned when Etag doesn't match #202
Comments
edmorley
added a commit
to edmorley/whitenoise
that referenced
this issue
Nov 12, 2018
Previously if the ETag specified in the `If-None-Match` header differed from the file's ETag, but the last modified time in the `If-Modified-Since` header was newer than the file modified time, then an HTTP 304 would be returned rather than the expected HTTP 200. This case can occur when a deployment is rolled back, and User Agents make a request with the reverted content's ETag and newer last modified time. (Browsers typically send both headers.) Fixes evansd#202.
bors bot
added a commit
to mozilla/normandy
that referenced
this issue
Nov 19, 2018
1625: Scheduled weekly dependency update for week 46 r=mythmon a=pyup-bot ### Update [botocore](https://pypi.org/project/botocore) from **1.12.42** to **1.12.47**. <details> <summary>Changelog</summary> ### 1.12.47 ``` ======= * api-change:``ssm``: Update ssm client to latest version * api-change:``comprehend``: Update comprehend client to latest version * api-change:``workspaces``: Update workspaces client to latest version * api-change:``ce``: Update ce client to latest version * api-change:``ecs``: Update ecs client to latest version ``` ### 1.12.46 ``` ======= * api-change:``s3``: Update s3 client to latest version * api-change:``sms-voice``: Update sms-voice client to latest version * api-change:``redshift``: Update redshift client to latest version * api-change:``rds``: Update rds client to latest version * api-change:``dms``: Update dms client to latest version * api-change:``codebuild``: Update codebuild client to latest version * api-change:``s3control``: Update s3control client to latest version * api-change:``directconnect``: Update directconnect client to latest version * api-change:``ram``: Update ram client to latest version * api-change:``pinpoint``: Update pinpoint client to latest version * api-change:``route53resolver``: Update route53resolver client to latest version * api-change:``comprehend``: Update comprehend client to latest version * api-change:``transcribe``: Update transcribe client to latest version * api-change:``ecs``: Update ecs client to latest version * api-change:``iam``: Update iam client to latest version ``` ### 1.12.45 ``` ======= * api-change:``resource-groups``: Update resource-groups client to latest version * api-change:``autoscaling``: Update autoscaling client to latest version * api-change:``mediatailor``: Update mediatailor client to latest version * api-change:``sns``: Update sns client to latest version * api-change:``sagemaker``: Update sagemaker client to latest version * api-change:``servicecatalog``: Update servicecatalog client to latest version * api-change:``ec2``: Update ec2 client to latest version ``` ### 1.12.44 ``` ======= * api-change:``chime``: Update chime client to latest version * api-change:``budgets``: Update budgets client to latest version * api-change:``redshift``: Update redshift client to latest version ``` ### 1.12.43 ``` ======= * api-change:``polly``: Update polly client to latest version * api-change:``batch``: Update batch client to latest version * api-change:``firehose``: Update firehose client to latest version * api-change:``cloudformation``: Update cloudformation client to latest version * api-change:``budgets``: Update budgets client to latest version * api-change:``codepipeline``: Update codepipeline client to latest version * api-change:``rds``: Update rds client to latest version ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/botocore - Changelog: https://pyup.io/changelogs/botocore/ - Repo: https://github.com/boto/botocore </details> ### Update [Faker](https://pypi.org/project/Faker) from **0.9.2** to **1.0.0**. <details> <summary>Changelog</summary> ### 1.0.0 ``` * 2 major enhancements * Moved all formats to locale files * Stopped interfering with I18n's global settings for fallbacks * 3 minor bug fixes: * Ruby 1.9.2 fixes [eMxyzptlk] * UTF8 fixes [maxmiliano] * Updated IPv4 generator to return valid addresses [Sylvain Desbureaux] * Many minor enhancements: * Added bork locale for bork-ified lorem [johnbentcope] * Added IPv6 address generator [jc00ke] * Removed deprecation warnings for Arrayrand [chrismarshall] * Added German translation and I18n improvments [Matthias Kühnert] * Added Dutch translation [moretea] * Added Lat/Long generator [Andy Callaghan] * Added buzzword-laden title generator [supercleanse] * Added optional extended wordlist for lorem [chriskottom] * Updated German translation [Jan Schwenzien] * Locale improvements [suweller] * Added limit to lorem generator [darrenterhune] * Added Brazilian Portuguese translation [maxmiliano] * Added Australian translation [madeindata] * Added Canadian translation [igbanam] * Added Norwegian translation [kytrinyx] * Lots of translation-related cleanup [kytrinyx] ``` ### 0.9.5 ``` * 1 minor bug fix: * Fixed YAML [Aaron Patterson] * 3 minor enhancements: * Added default rake task to run all tests [Aaron Patterson] * Removed shuffle method [Aaron Patterson] * Use psych if present [Aaron Patterson] ``` ### 0.9.4 ``` * 1 minor bug fix: * Stopped getting in the way of Rails' late locale loading ``` ### 0.9.3 ``` * 1 minor enhancement: * Added a faker namespace for translations ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/faker - Changelog: https://pyup.io/changelogs/faker/ - Repo: https://github.com/joke2k/faker </details> ### Update [setuptools](https://pypi.org/project/setuptools) from **40.5.0** to **40.6.2**. <details> <summary>Changelog</summary> ### 40.6.2 ``` ------- * 1592: Fix invalid dependency on external six module (instead of vendored version). ``` ### 40.6.1 ``` ------- * 1590: Fixed regression where packages without ``author`` or ``author_email`` fields generated malformed package metadata. ``` ### 40.6.0 ``` ------- * 1541: Officially deprecated the ``requires`` parameter in ``setup()``. * 1519: In ``pkg_resources.normalize_path``, additional path normalization is now performed to ensure path values to a directory is always the same, preventing false positives when checking scripts have a consistent prefix to set up on Windows. * 1545: Changed the warning class of all deprecation warnings; deprecation warning classes are no longer derived from ``DeprecationWarning`` and are thus visible by default. * 1554: ``build_meta.build_sdist`` now includes ``setup.py`` in source distributions by default. * 1576: Started monkey-patching ``get_metadata_version`` and ``read_pkg_file`` onto ``distutils.DistributionMetadata`` to retain the correct version on the ``PKG-INFO`` file in the (deprecated) ``upload`` command. * 1533: Restricted the ``recursive-include setuptools/_vendor`` to contain only .py and .txt files. * 1395: Changed Pyrex references to Cython in the documentation. * 1456: Documented that the ``rpmbuild`` packages is required for the ``bdist_rpm`` command. * 1537: Documented how to use ``setup.cfg`` for ``src/ layouts`` * 1539: Added minimum version column in ``setup.cfg`` metadata table. * 1552: Fixed a minor typo in the python 2/3 compatibility documentation. * 1553: Updated installation instructions to point to ``pip install`` instead of ``ez_setup.py``. * 1560: Updated ``setuptools`` distribution documentation to remove some outdated information. * 1564: Documented ``setup.cfg`` minimum version for version and project_urls. * 1572: Added the ``concurrent.futures`` backport ``futures`` to the Python 2.7 test suite requirements. ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/setuptools - Changelog: https://pyup.io/changelogs/setuptools/ - Repo: https://github.com/pypa/setuptools </details> ### Update [google-auth](https://pypi.org/project/google-auth) from **1.6.0** to **1.6.1**. <details> <summary>Changelog</summary> ### 1.6.1 ``` ------ 11-12-2018 10:10 PST Implementation Changes ++++++++++++++++++++++ - Automatically refresh impersonated credentials (304) ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/google-auth - Changelog: https://pyup.io/changelogs/google-auth/ - Repo: https://github.com/GoogleCloudPlatform/google-auth-library-python </details> ### Update [boto3](https://pypi.org/project/boto3) from **1.9.42** to **1.9.47**. <details> <summary>Changelog</summary> ### 1.9.47 ``` ====== * api-change:``ssm``: [``botocore``] Update ssm client to latest version * api-change:``comprehend``: [``botocore``] Update comprehend client to latest version * api-change:``workspaces``: [``botocore``] Update workspaces client to latest version * api-change:``ce``: [``botocore``] Update ce client to latest version * api-change:``ecs``: [``botocore``] Update ecs client to latest version ``` ### 1.9.46 ``` ====== * api-change:``s3``: [``botocore``] Update s3 client to latest version * api-change:``sms-voice``: [``botocore``] Update sms-voice client to latest version * api-change:``redshift``: [``botocore``] Update redshift client to latest version * api-change:``rds``: [``botocore``] Update rds client to latest version * api-change:``dms``: [``botocore``] Update dms client to latest version * api-change:``codebuild``: [``botocore``] Update codebuild client to latest version * api-change:``s3control``: [``botocore``] Update s3control client to latest version * api-change:``directconnect``: [``botocore``] Update directconnect client to latest version * api-change:``ram``: [``botocore``] Update ram client to latest version * api-change:``pinpoint``: [``botocore``] Update pinpoint client to latest version * api-change:``route53resolver``: [``botocore``] Update route53resolver client to latest version * api-change:``comprehend``: [``botocore``] Update comprehend client to latest version * api-change:``transcribe``: [``botocore``] Update transcribe client to latest version * api-change:``ecs``: [``botocore``] Update ecs client to latest version * api-change:``iam``: [``botocore``] Update iam client to latest version ``` ### 1.9.45 ``` ====== * api-change:``resource-groups``: [``botocore``] Update resource-groups client to latest version * api-change:``autoscaling``: [``botocore``] Update autoscaling client to latest version * api-change:``mediatailor``: [``botocore``] Update mediatailor client to latest version * api-change:``sns``: [``botocore``] Update sns client to latest version * api-change:``sagemaker``: [``botocore``] Update sagemaker client to latest version * api-change:``servicecatalog``: [``botocore``] Update servicecatalog client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version ``` ### 1.9.44 ``` ====== * api-change:``chime``: [``botocore``] Update chime client to latest version * api-change:``budgets``: [``botocore``] Update budgets client to latest version * api-change:``redshift``: [``botocore``] Update redshift client to latest version ``` ### 1.9.43 ``` ====== * api-change:``polly``: [``botocore``] Update polly client to latest version * api-change:``batch``: [``botocore``] Update batch client to latest version * api-change:``firehose``: [``botocore``] Update firehose client to latest version * api-change:``cloudformation``: [``botocore``] Update cloudformation client to latest version * api-change:``budgets``: [``botocore``] Update budgets client to latest version * api-change:``codepipeline``: [``botocore``] Update codepipeline client to latest version * api-change:``rds``: [``botocore``] Update rds client to latest version ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/boto3 - Changelog: https://pyup.io/changelogs/boto3/ - Repo: https://github.com/boto/boto3 </details> ### Update [newrelic](https://pypi.org/project/newrelic) from **4.4.1.104** to **4.6.0.106**. <details> <summary>Changelog</summary> ### 4.6.0.106 ``` This release of the Python agent includes changes to the agent to enable monitoring of Lambda functions, improves the built-in Sanic instrumentation, and includes various bug fixes. The agent can be installed using easy_install/pip/distribute via the Python Package Index or can be downloaded directly from the New Relic download site. Features Monitoring of Lambda functions This release includes changes to the agent to enable monitoring of Lambda functions. If you are interested in learning more or previewing New Relic Lambda monitoring please email lambda_previewnewrelic.com. Improve naming of Sanic HTTPMethodView view handlers Sanic views that were defined using the HTTPMethodView class were previously all named HTTPMethodView.as_view..view regardless of the actual class in use. The agent will now name transactions after the actual view handler class. Bug Fixes Fix ignored error reporting in CherryPy instrumention When missing query parameters, unexpected query parameters, unexpected positional arguments, or duplicate arguments were present in the CherryPy framework, a TypeError exception was recorded even when an ignored response status code (such as a 404) was generated. An error is no longer recorded when it results in the generation of an ignored status code. Excluding request.uri from transaction trace attributes hides it in the UI When request.uri is added to either attributes.exclude or transaction_tracer.attributes.exclude, the value will now no longer appear in the APM UI for transaction traces. Ability to disable sending request.uri as part of error traces Error traces will now respect excluding request.uri when added to the attributes.exclude list in the newrelic.ini configuration file. Fix tracing of functions returning generators When tracing generators whose parent traces have ended an error was seen in the logs "Transaction ended but current_node is not Sentinel." This has now been fixed. ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/newrelic - Changelog: https://pyup.io/changelogs/newrelic/ - Homepage: http://newrelic.com/docs/python/new-relic-for-python </details> ### Update [pytest-django](https://pypi.org/project/pytest-django) from **3.4.3** to **3.4.4**. <details> <summary>Changelog</summary> ### 3.4.4 ``` ------------------ Bugfixes ^^^^^^^^ * Refine the django.conf module check to see if the settings really are configured (668). * Avoid crash after OSError during Django path detection (664). Features ^^^^^^^^ * Add parameter info to fixture assert_num_queries to display additional message on failure (663). Docs ^^^^ * Improve doc for django_assert_num_queries/django_assert_max_num_queries. * Add warning about sqlite specific snippet + fix typos (666). Misc ^^^^ * MANIFEST.in: include tests for downstream distros (653). * Ensure that the LICENSE file is included in wheels (665). * Run black on source. ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/pytest-django - Changelog: https://pyup.io/changelogs/pytest-django/ - Docs: https://pytest-django.readthedocs.io/ </details> ### Update [pytest](https://pypi.org/project/pytest) from **3.10.1** to **4.0.0**. <details> <summary>Changelog</summary> ### 4.0.0 ``` ========================= Removals -------- - `3737 <https://github.com/pytest-dev/pytest/issues/3737>`_: **RemovedInPytest4Warnings are now errors by default.** Following our plan to remove deprecated features with as little disruption as possible, all warnings of type ``RemovedInPytest4Warnings`` now generate errors instead of warning messages. **The affected features will be effectively removed in pytest 4.1**, so please consult the `Deprecations and Removals <https://docs.pytest.org/en/latest/deprecations.html>`__ section in the docs for directions on how to update existing code. In the pytest ``4.0.X`` series, it is possible to change the errors back into warnings as a stop gap measure by adding this to your ``pytest.ini`` file: .. code-block:: ini [pytest] filterwarnings = ignore::pytest.RemovedInPytest4Warning But this will stop working when pytest ``4.1`` is released. **If you have concerns** about the removal of a specific feature, please add a comment to `4348 <https://github.com/pytest-dev/pytest/issues/4348>`__. - `4358 <https://github.com/pytest-dev/pytest/issues/4358>`_: Remove the ``::()`` notation to denote a test class instance in node ids. Previously, node ids that contain test instances would use ``::()`` to denote the instance like this:: test_foo.py::Test::()::test_bar The extra ``::()`` was puzzling to most users and has been removed, so that the test id becomes now:: test_foo.py::Test::test_bar This change could not accompany a deprecation period as is usual when user-facing functionality changes because it was not really possible to detect when the functionality was being used explicitly. The extra ``::()`` might have been removed in some places internally already, which then led to confusion in places where it was expected, e.g. with ``--deselect`` (`4127 <https://github.com/pytest-dev/pytest/issues/4127>`_). Test class instances are also not listed with ``--collect-only`` anymore. Features -------- - `4270 <https://github.com/pytest-dev/pytest/issues/4270>`_: The ``cache_dir`` option uses ``$TOX_ENV_DIR`` as prefix (if set in the environment). This uses a different cache per tox environment by default. Bug Fixes --------- - `3554 <https://github.com/pytest-dev/pytest/issues/3554>`_: Fix ``CallInfo.__repr__`` for when the call is not finished yet. ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/pytest - Changelog: https://pyup.io/changelogs/pytest/ - Homepage: https://docs.pytest.org/en/latest/ </details> ### Update [whitenoise](https://pypi.org/project/whitenoise) from **4.1** to **4.1.1**. <details> <summary>Changelog</summary> ### 4.1.1 ``` ------ * Fix `bug <https://github.com/evansd/whitenoise/issues/202>`_ in ETag handling (thanks `edmorley <https://github.com/edmorley>`_). * Add .woff2 to the list of file extensions that don't require compression (thanks `jamesbeith <https://github.com/jamesbeith>`_). ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/whitenoise - Changelog: https://pyup.io/changelogs/whitenoise/ - Homepage: http://whitenoise.evans.io </details> Co-authored-by: pyup-bot <github-bot@pyup.io>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi!
Currently WhiteNoise:
EtagandLast-Modifiedheader on all responsesIf-None-Match(used for Etag) orIf-Modified-Sinceheader, to determine whether to return an HTTP 304 responseHowever the current implementation falls back to
If-Modified-Sinceeven if there was a non-matchingIf-None-Match, rather than returning false:whitenoise/whitenoise/responders.py
Lines 169 to 176 in 1b5a7f3
This is problematic since:
If-Modified-Sinceis unreliable in the case of deployment rollbacks (since by design the comparison is greater than or equal to modified time, rather than just equal to)Demo:
Currently this returns HTTP 304 even though it has a non-matching
If-None-Matchheader value.This caused frontend breakage after a rollback we performed today, which persisted until users force-refreshed:
The text was updated successfully, but these errors were encountered: