Incorrect caching of HTTP 302 responses in Opera

Contents

• Problem description
• The test case
• Analysis
• Links

Problem Description

This bug occured on <www.truecrypt.org> when redirecting a browser from an isolated <frame> page to its parent <frameset> page.

When the <frame> is requested from an outside location, (e.g. when the request comes with a Referer: header from another site), the server returns a 302 redirect to the frameset page. The frameset in turn links to the original URL, only this time, the Referer: header contains an expected location, so the server responds with an ordinary 200 response.

The problem is that Opera caches the first 302 response and sends the browser into infinite recursion.

The test case

I have simplified the original problem page, <http://www.truecrypt.org/docs/header-key-derivation>, into a small test case containing a frameset page [f0] with two frames [f1] and [f2].

When [f2] is requested with a Referer: that does not come from [f0], the server responds with a 302 redirection to [f0].

Analysis

Browser request:

• GET /www/opera/bugs/232554/http-302-caching-f2.html HTTP/1.1
• User-Agent: Opera/9.02 (Windows 98; U; en)
• Host: luden.se
• Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
• Accept-Language: sv-SE,sv;q=0.9,en;q=0.8,de;q=0.7
• Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
• Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
• Referer: http://luden.se/www/opera/bugs/232554/http-302-caching.html
• Cache-Control: no-cache
• TE: deflate, gzip, chunked, identity, trailers
• Connection: keep-alive

Server response:

• HTTP/1.1 302 Found
• Date: Sun, 08 Oct 2006 08:07:46 GMT
• Server: Apache/1.3.37 (Unix) PHP/4.4.4 mod_ssl/2.8.28 OpenSSL/0.9.7d
• Location: http://luden.se/www/opera/bugs/232554/http-302-caching-f.html
• Connection: close
• Transfer-Encoding: chunked
• Content-Type: text/html; charset=iso-8859-1

RFC 2616 has the following to say about 302 responses:

10.3.3 302 Found

The requested resource resides temporarily under a different URI. Since the redirection might be altered on occasion, the client SHOULD continue to use the Request-URI for future requests. This response is only cacheable if indicated by a Cache-Control or Expires header field.

So later, when the frame page is referenced from the frameset page, the browser should send a request for the original URL with the expected Referer: header. Like this:

Browser request (hypothetical):

• GET /www/opera/bugs/232554/http-302-caching-f2.html HTTP/1.1
• User-Agent: Opera/9.02 (Windows 98; U; en)
• Host: luden.se
• Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
• Accept-Language: sv-SE,sv;q=0.9,en;q=0.8,de;q=0.7
• Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
• Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
• Referer: http://luden.se/www/opera/bugs/232554/http-302-caching-f.html
• Cache-Control: no-cache
• TE: deflate, gzip, chunked, identity, trailers
• Connection: keep-alive

Server response:

• HTTP/1.1 200 OK
• Date: Sun, 08 Oct 2006 08:08:00 GMT
• Server: Apache/1.3.37 (Unix) PHP/4.4.4 mod_ssl/2.8.28 OpenSSL/0.9.7d
• X-Powered-By: PHP/4.4.4
• Connection: close
• Transfer-Encoding: chunked
• Content-Type: text/html; charset=iso-8859-1

This is where Opera goes wrong. It never sends this request. Instead it re-uses the 302 response recieved earlier, and displays either an empty frame or a page thrown into recursion.

Links

• The bug

  • The original problem page
  • Bug report

• Test case:

  • Frameset page
  • Frame 1
  • Frame 2

• Screen shots

  • Normal frameset (not redirected)
  • Error: Second frame empty
  • Error: Frameset recursion