php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #40325 Vary: header missing in gzip output handlers
Submitted: 2007-02-02 13:10 UTC Modified: 2007-04-18 19:42 UTC
From: nicolas dot grekas+php at gmail dot com Assigned: mike
Status: Closed Package: Zlib related
PHP Version: 5.2.0 OS: All
Private report: No CVE-ID:
 [2007-02-02 13:10 UTC] nicolas dot grekas+php at gmail dot com
Description:
------------
At least ob_gzhandler, maybe gzip.outputcompress don't send a "Vary: Accept-Encoding" header when browser don't support compression. The result is that intermediate caches may get corrupted.

Reproduce code:
---------------
execute the code bellow with php-cgi :

<?php ob_start('ob_gzhander');

Expected result:
----------------
X-Powered-By: PHP/5.2.0
Content-Type: text/html



Actual result:
--------------
X-Powered-By: PHP/5.2.0
Content-Type: text/html
Vary: Accept-Encoding


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-02-02 13:11 UTC] nicolas dot grekas+php at gmail dot com
Oops : I've switched Expected and Actual results, sorry
 [2007-02-02 15:38 UTC] php_lists at realplain dot com
Just thought I'd add this comment that IE doesn't handle these Vary: headers correctly (breaks caching that would usually be used). :-( See http://lists.over.net/pipermail/mod_gzip/2002-December/006826.html

It's been awhile since I read the details, but maybe you'd want to use "Cache-Control: private" instead or in addition to Vary:?
 [2007-02-02 17:02 UTC] mike@php.net
Thanks, awesome read.
 [2007-02-02 18:44 UTC] nicolas dot grekas+php at gmail dot com
I knew this pb for IE, and the link of php_lists is worth reading. BUT it is NOT related to the bug I was submitting.

IE's bug with Vary header is :
IF (non-compressed-content + Vary-header)
THEN IE-dont-cache-entity

Here is my bug :
IF a resource is negotiated for compression
THEN we MUST send a Vary header.

In fact, for IE, the negotiation made by ob_gzhandler DOES ALREADY send a Vary header. Because negotiation ends to : browser (IE) accepts gzipped content.

So fixing this issue WONT CHANGE ANYTHING FOR IE, but will fix corrupted caches.

Should I explain more deeply the issue ?

Regards,
Nicolas
 [2007-03-21 14:42 UTC] nicolas dot grekas+php at gmail dot com
I'm sorry to insist, but this is for the good of PHP :) This bug is not bogus.

Here is the related RFC2616 HTTP1.1-14.44 excerpt that is not honored by ob_gzhandler : "An HTTP/1.1 server SHOULD include a Vary header field with any cacheable response that is subject to server-driven negotiation.".

In fact today, ob_gzhandler do send a "Vary: Accept-Encoding" header when the client accepts gzip or deflate. (This is the case for example for IE, Gecko, and many browsers.)
BUT : the RFC says that the vary header should be send IF _a_negociation_occurs_. That means that the Vary header is not meant to be send based on the result of any negociation. The point is : if you negociate, then you should send a Vary header, whatever the result of the nego.

What ob_gzhandler actually does is :
negociate, then if gzip/deflate accepted, send a Vary

What it should do is :
send a Vary, then negociate.


This but is in no way related to the bug of IE regarding vary headers : the current conditions requested by ob_gzhandler to send its vary header are always met by IE (accept gzip ? => yes).

Hope it helps
 [2007-04-18 18:43 UTC] mike@php.net
We can't fix this issue, due to the nature of PHP output handlers.

Consider he following code snippet:

<?php
ob_start("ob_gzhandler");
ob_end_clean();
?>

We'll get a plain response plus the Vary header, not really better either.

I'd suggest you to use mod_deflate or f.e. always send the Vary header yourself when using a zlib output handler:

<?php
header("Vary: Accept-Encoding");
ob_start("ob_gzhandler");
?>

 [2007-04-18 19:42 UTC] mike@php.net
It actually was fixable in HEAD. Not possible to MFH though.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 23:01:58 2014 UTC