node-solid-server icon indicating copy to clipboard operation
node-solid-server copied to clipboard
verified publisher icon nodeSolidServer

Support the `If-None-Match` header

Open NSeydoux opened this issue 5 years ago • 3 comments

Expected behaviour

  • POST a resource to an IRI where a resource already exists, with the If-None-Match header set.
  • The server returns 412, and the original resource is unchanged.

Actual behaviour

  • POST a resource to an IRI where a resource already exists, with the If-None-Match header set.
  • The server returns 201 Created, and the original resource is overwritten.

Additional context

When receiving a resource creation request (i.e. POST or PUT, possibly PATCH?), if the If-None-Match header is set, the server should perform a check to ensure that no resource is already stored at the target IRI.

In the case of POST, since the Slug header is meant to be a hint and not a hard constraint, I'm not sure what the behaviour should be, but when PUTting a resource to an IRI where a resource already exists, an If-None-Match request should fail with 412.

Open question

When only having write (but not read) access to a container, can this be used to exfiltrate information one should not be allowed to access ?

NSeydoux avatar Jun 16 '20 08:06 NSeydoux

Relevant conversation: https://gitter.im/solid/specification?at=5ee742837b6da9126a96ebdd

With the answer:

The Solid spec requires that servers implement If-None-Match as part of MUST implement RFC7232. Clients MAY implement RFC7232.

Vinnl avatar Jun 16 '20 08:06 Vinnl

When only having write (but not read) access to a container, can this be used to exfiltrate information one should not be allowed to access ?

Good question. I believe that will be addressed by finalising the order of status codes (depending on the request) in issues like https://github.com/solid/specification/issues/146 , https://github.com/solid/specification/issues/14 .

Note also https://tools.ietf.org/html/rfc7232#section-5 :

Except when excluded below, a recipient cache or origin server MUST evaluate received request preconditions after it has successfully performed its normal request checks and just before it would perform the action associated with the request method. A server MUST ignore all received preconditions if its response to the same request without those conditions would have been a status code other than a 2xx (Successful) or 412 (Precondition Failed). In other words, redirects and failures take precedence over the evaluation of preconditions in conditional requests.

csarven avatar Jun 16 '20 10:06 csarven

Small addition: If-None-Match is definitely not supported with PUT requests. I just tried this and a PUT request overwrites the existing file even when I have If-None-Match: *

crspybits avatar Sep 05 '21 05:09 crspybits