php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #55063 Additional headers are ignored when returning HTTP status 304
Submitted: 2011-06-29 05:56 UTC Modified: 2015-07-16 11:18 UTC
Votes:5
Avg. Score:4.2 ± 1.0
Reproduced:4 of 4 (100.0%)
Same Version:1 (25.0%)
Same OS:1 (25.0%)
From: evert at rooftopsolutions dot nl Assigned:
Status: Not a bug Package: Apache2 related
PHP Version: 5.3.6 OS: Any
Private report: No CVE-ID: None
View Developer Edit
 [2011-06-29 05:56 UTC] evert at rooftopsolutions dot nl 
Description:
------------
When HTTP status 304 is set, Apache appears to ignore any other headers. X-
Powered-By is also missing, which was the first hint that something was up in 
either the SAPI or Apache.

I'm not fully sure this is a PHP bug, or an Apache bug though, so feel free to 
close it if I put it in the wrong space.

The practical use-case I have for this is the so-called CORS headers. When I do a 
cross-domain request within firefox, and CORS headers have expired firefox 
requires them to be set, even for the 304 response. Since they get stripped, 
firefox just throws an error. 

Test script:
---------------
header('HTTP/1.1 304 Not Modified')
header('X-Foo: Bar');

Expected result:
----------------
The X-Foo header returned

Actual result:
--------------
All custom headers are ignored

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-07-16 08:09 UTC] mike@php.net
-Status: Open +Status: Not a bug
 [2015-07-16 08:09 UTC] mike@php.net 
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

Apache will only send the following header fields on 304:

                     "Connection",
                     "Keep-Alive",
                     "ETag",
                     "Content-Location",
                     "Expires",
                     "Cache-Control",
                     "Vary",
                     "Warning",
                     "WWW-Authenticate",
                     "Proxy-Authenticate",
                     "Set-Cookie",
                     "Set-Cookie2",

See https://github.com/apache/httpd/blob/2.4.x/modules/http/http_filters.c#L1332
 [2015-07-16 11:18 UTC] mike@php.net 
Sorry for the blurb; note to self: avoid the quick-fix dropdown.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Oct 28 14:00:01 2025 UTC