0

A dynamic-post-form that should be cached using eTag. Navigation:

  1. A user browse to the form form.html and recieve the status 200 having the new eTag "DNEI297" within the response from the server. Now the browser caches this document in the cache.
  2. The user enters some values and finally post the form-data to form.html (browser to server) and recieve from the server the HTTP status code 205 (accepted/reset form data) and the unchanged eTag "DNEI297".
  3. Since the 205 response is empty in this case, the browser reload the page form.html using the eTag "DNEI297". The server compares the eTag with his eTag and decide that neither the form nor the eTag changed and the browser already have cached the correct version of the form.html and send a 304 (unchanged).

Now the Problem: Since the Server sent a 304 the Browser took the last request and decide to use the cached version. But the cached version is the answer of the post-request having status-code 205 and the eTag "DNEI297".

Finally after the submit of the form the document http-status is 205. How to avoid the wrong code? It makes trouble and produce alerts from antivirus-plugins.

Community
  • 1
  • 1
Grim
  • 1,938
  • 10
  • 56
  • 123

1 Answers1

0

The server in this case erred by sending the same ETag—or any ETag—in its 205 response to the form submission.

RFC 7232 describes when it's appropriate to use an ETag:

A "strong validator" is representation metadata that changes value whenever a change occurs to the representation data that would be observable in the payload body of a 200 (OK) response to GET.

So you should not send an ETag along with the empty 205 response, since that's not what you'd get by doing a successful GET to that URL.

Community
  • 1
  • 1
Kevin Christopher Henry
  • 46,175
  • 7
  • 116
  • 102
  • Thank you, I removed the eTag from the 205 response but the behavior remains unchnaged, even in a new in-private tab. – Grim Jan 04 '21 at 07:44
  • @Grim: Using a private browser window doesn't prevent access to the cache; you need to explicitly clear the cache for your site. The bigger issue is that this behavior ("the cached version is the answer of the post-request") is just extremely unlikely, as browsers generally do not cache responses to `POST` requests at all unless you take pains to make that happen (see [here](https://stackoverflow.com/questions/626057/is-it-possible-to-cache-post-methods-in-http) for example). So you're probably going to have to edit the question to include full requests and response headers for each step. – Kevin Christopher Henry Jan 04 '21 at 13:54