HEAD method not allowed to access mitm.it

[tomlabaude]

Steps to reproduce the problem:

1. Using mitmdump in transparent mode, with on-boarding port on 6969 (did not test on 80)
   /mitmdump -T --host --insecure --onboarding-port 6969

2. On iPad + Chrome + Transparent mode, access to http://mitm.it:6969

3. An HEAD /cert/pem is sent, receive an "405 Method Not Allowed"

Any idea of any workaround?

Any other comments? What have you tried so far?

Exact packet:
Hypertext Transfer Protocol
HEAD /cert/pem HTTP/1.1\r\n
Host: mitm.it:6969\r\n
Connection: keep-alive\r\n
User-Agent: Mozilla/5.0 (iPad; CPU OS 9_2 like Mac OS X) AppleWebKit/601.1 (KHTML, like Gecko) CriOS/55.0.2883.79 Mobile/13C75 Safari/601.1.46\r\n
Accept-Encoding: gzip, deflate, sdch\r\n
Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4\r\n
\r\n

Answer:
Hypertext Transfer Protocol
HTTP/1.1 405 Method Not Allowed\r\n
Server: TornadoServer/4.4.2\r\n
Content-Length: 87\r\n
Date: Tue, 09 May 2017 13:35:38 GMT\r\n
Content-Type: text/html; charset=UTF-8\r\n
\r\n

System information

mitmdump --version
Mitmproxy version: 2.0.1 (release version) Precompiled Binary
Python version: 3.5.2
Platform: Darwin-16.5.0-x86_64-i386-64bit
SSL version: OpenSSL 1.0.2j 26 Sep 2016
Mac version: 10.12.4 ('', '', '') x86_64

[Kriechi]

AFAIK the mitm.it just implements enough to serve the page.
Any specific reason why you want to use a HEAD request?
Or is this an intrinsic behaviour of Chrome for iOS? Why are they doing it?

[tomlabaude]

Actually it makes both requests in a row:
GET, I receive a 400
HEAD, I receive 405

It works well on Safari on iPad

[Kriechi]

Ok - thanks for the wireshark trace.
Looks like the regular GET still works ok.

Not sure now why you are seeing a HEAD request as well.
But I guess there is no harm in implementing it here

mitmproxy/mitmproxy/addons/onboardingapp/app.py

Lines 41 to 57 in 81d68aa

	class PEM(tornado.web.RequestHandler):
	@property
	def filename(self):
	return config.CONF_BASENAME + "-ca-cert.pem"
	def get(self):
	p = os.path.join(self.request.master.options.cadir, self.filename)
	p = os.path.expanduser(p)
	self.set_header("Content-Type", "application/x-x509-ca-cert")
	self.set_header(
	"Content-Disposition",
	"inline; filename={}".format(
	self.filename))
	with open(p, "rb") as f:
	self.write(f.read())

and here

mitmproxy/mitmproxy/addons/onboardingapp/app.py

Lines 60 to 76 in 81d68aa

	class P12(tornado.web.RequestHandler):
	@property
	def filename(self):
	return config.CONF_BASENAME + "-ca-cert.p12"
	def get(self):
	p = os.path.join(self.request.master.options.cadir, self.filename)
	p = os.path.expanduser(p)
	self.set_header("Content-Type", "application/x-pkcs12")
	self.set_header(
	"Content-Disposition",
	"inline; filename={}".format(
	self.filename))
	with open(p, "rb") as f:
	self.write(f.read())

PRs are welcome!

[tomlabaude]

You mean something like def head(self): ... with exact same definition as def get(self)?

Or it's not simple as that?

[Kriechi]

More or less.
The important bit is probably self.set_header("Content-Length", "7")