6

I have an REST API that returns a 304 Not Modified status code for some request (that have If-Modified-Since header). The problem is that the apache2 software strips any CORS header prior to the response being sent to the browser.

This happens only when the status code is 304. Any other end-point works great with CORS. All the pre-flight requests work also great.

I have read on the internet that Apache does this in order to comply with some specs, but I can't believe that CORS with 304 is not supposed to work in specs.

Is there a way I could achieve this with apache?

Update:

My javascript is

var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://api.domain.com/api/endpoint?token='+localStorage.getItem('token'));
xhr.setRequestHeader("If-Modified-Since", "Mon, 11 Jan 2016 15:46:54 GMT");
xhr.send(null);

I get an error:

No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://xxx.domain.com' is therefore not allowed access.

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
user237329
  • 161
  • 3
  • 1
    304 isn't a header. it's a status code. Are the missing CORS headers causing a problem? – Jayen Jan 13 '16 at 05:23
  • Correct, 304 is a staus code not a header. I am not sure what are you askink @jayen. My app sends the CORS headers to the apache, but the apache does not send the headers to the browser. The missing headers in the browser causes problems for xhr requests when they do not see the "Access-Control" headers in response. – user237329 Jan 13 '16 at 07:03
  • I don't believe it's a server/browser problem. Are you forcing the `If-Modified-Since` header on a request the browser has not cached? – Jayen Jan 13 '16 at 07:11
  • The browser hasn't cached it, but your server is telling it to use its cache. Perhaps you could use `204 No content` instead of `304 Not modified` to signal the not modified to your javascript. With the `304` the browser is getting in the way. – Jayen Jan 14 '16 at 00:25

1 Answers1

1

304's don't need to include the CORS headers. Browsers should see the 304 and use the cache.

https://bz.apache.org/bugzilla/show_bug.cgi?id=51223#c1

CORS doesn't require those headers on a 304, and indeed browsers work without them present on it. This is because many 304s are generated from intermediary caches that can't be updated to know about CORS.

Jayen
  • 1,827
  • 3
  • 16
  • 27
  • 5
    Well, that is my problem: "CORS doesn't require those headers on a 304". But when I do my request, it Chrome I get `No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://xxxx.domain.com' is therefore not allowed access.` – user237329 Jan 13 '16 at 07:30