Fun with HTTP

Nemo (@captn3m0)

Nemo

GET /
Host: api.captnemo.in

200 OK
​Link: <https://twitter.com/captn3m0>; rel=twitter,
<https://about.me/n3m0>; rel=about,<https://razorpay.com>; rel=work,
<https://captnemo.in>; rel=website

Teapots?

Hyper Text Transfer Protocol

Stateless?

RFC1945: May 1996
RFC2068: Jan 1997
RFC2109: Feb 1997

Version 0.9beta of Mosaic Netscape, released on October 13, 1994 supported Cookies

Cache in HTTP

Cache Headers

  • Content-Location

  • Content-MD5

  • ETag

  • ​Last-Modified

  • Cache-Control

  • Expires

Browser As A Caching Proxy?

A transparent proxy MUST NOT modify any of the following fields in a response:

  • Expires

but it MAY add any of these fields if not already present.

If an Expires header is added, it MUST be given a field-value identical to that of the Date header in that response.

Cache-Control: max-age=31536000

Cache-Control wins!

If a response includes both an Expires header and a max-age directive, the max-age directive overrides the Expires header, even if the Expires header is more restrictive.

This rule allows an origin server to provide, for a given response, a longer expiration time to an HTTP/1.1 (or later) cache than to an HTTP/1.0 cache. This might be useful if certain HTTP/1.0 caches improperly calculate ages or expiration times, perhaps due to desynchronized clocks.

Its easier!

A non-transparent proxy MAY modify or add these fields to a message that does not include no-transform, but if it does so, it MUST add a Warning 214 (Transformation applied) if one does not already appear in the message

 

Warning: 214

451: Unavailable for Legal Reasons

451

HTTP/1.1 451 Unavailable For Legal Reasons
Content-Type: text/html

   <html>
    <head><title>Unavailable For Legal Reasons</title></head>
    <body>
     <h1>Unavailable For Legal Reasons</h1>
     <p>This request may not be serviced in the Roman Province
     of Judea due to the Lex Julia Majestatis, which disallows
     access to resources hosted on servers deemed to be
     operated by the People's Front of Judea.</p>
    </body>
   </html>

451

www.451unavailable.org

 

https://www.youtube.com/red/
https://www.spotify.com/int/why-not-available/
https://www.netflix.com/in/

Content Negotiation

Content Negotiation

  • Accept
  • Accept-Language
  • Accept-Encoding

Chrome

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

 

Dear Server,

I want the resource in an HTML or XHTML or XML format. If you cannot serve me this way, I'll take in WebP instead. If you can't even give it to me in WebP, well, I'll take anything you've got!


Love,
Chrome

http://www.newmediacampaigns.com/blog/browser-rest-http-accept-headers

Cross Origin Resource Sharing

Preflight Rules

A simple cross-site request is one that:

  1. Only uses GET, HEAD or POST. If POST is used to send data to the server, the Content-Type of the data sent to the server with the HTTP POST request is one of application/x-www-form-urlencoded, multipart/form-data, or text/plain.
  2. Does not set custom headers with the HTTP Request (such as X-Modified, etc.)

 

Non Simple Request = Preflight

POSTing is fun!

http://requestb.in/179i1r11?inspect

 

You can't rely on the Same Origin Policy anymore.

Preflight Crashes

Route::any('foo', function()
{
    return 'Hello World';
});

 

This responds to OPTIONS as well

418 I'm a Teapot

Helpful Teapot Photo

418 I'm a Teapot

TEA-capable pots that are not provisioned to brew coffee may return either a status code of 503, indicating temporary unavailability of coffee, or a code of 418 as defined in the base HTCPCP specification to denote a more permanent indication that the pot is a teapot.

501 Not Implemented

The server does not support the functionality required to fulfil the request. This is the appropriate response when the server does not recognise the request method and is not capable of supporting it for any resource.

 

Host: microwave.me

BREW /peppermint

 

501 Not Implemented

402

402 Payment Required

402

Reserved for future use. The original intention was that this code might be used as part of some form of digital cash or micropayment scheme, but that has not happened, and this code is not usually used.

 

Google Developers API uses this status if a particular developer has exceeded the daily limit on requests.

 

https://github.com/mleonhard/hipp
The Hamming Internet Payment System

Thanks!

Fun with HTTP

By Nemo

Fun with HTTP

  • 3,432