httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r..@ai.mit.edu (Robert S. Thau)
Subject Fun with Content Negotiation.
Date Sun, 19 Mar 1995 18:03:34 GMT
I've now got a server with content negotiation on www.ai.mit.edu on
port 8000.  Time for stupid httpd tricks.

If you connect to http://www.ai.mit.edu:8000 using Arena, you'll see
an HTML3 page with a table.  With any other Web client, including
table-capable ones which aren't smart enough to announce themselves as
such to the server (e.g., Netscape 1.1b1) you see the table faked up
with <pre>.  (The table looks a whole lot better in Netscape than in
Arena --- in fact, it doesn't look very good at all in Arena --- but
this does make the point).

(This demonstrates content negotiation based on level=foo, and
incidentally, the server using MultiViews to find index.html and
index.html3 based on "DirectoryIndex index").

If that isn't enough of a thrill for you (yeah, right), you can poke
around at http://www.ai.mit.edu:8000/xperimental/map-test/foo.map.  A
copy of the actual map is at the bottom of this note --- the syntax is
Roy's meta/http, with '#' comments thrown in.  (Roy, I know that's not
kosher, but people would expect it to work anyway).  You can play
around with various combinations of Accept:, Accept-Language: and
Accept-Encoding: --- if it does anything unexpected, please let me
know. 

The corresponding files actually do exist, but they contain ascii
strings describing their alleged type, rather than actual data of the
type, so you can safely telnet in to port 8000 and type in GET
commands without having binary goop blasted back at you.
  
FWIW, this server is built on Rob's apache-0.2 distribution, with
patches B27 (fix B23&XBITHACK), P12 (nameserver cache), the as yet
unnumbered patch I cooked up this morning, and the NCSA security patch
(which brings 1.3 up to the level of 1.3R).  To this stew is added the
content-negotiation code itself (recently transferred over from
apache-pre), and ten lines of ugliness for exact back-compatibility
with ai_httpd.  The ugliness will never be seen outside this building,
but it does have the salutary effect of allowing me to run my full
server test battery (such as it is) against this server.  That was an
interesting and useful exercise.  (Notice I didn't say pleasant ;-).

Unresolved issues on the "user-interface" side of this, besides the
obvious question of map file syntax:

1) Security.  The code is still enforcing the restriction that map
   files can only map things in the same directory.  I sort of buy
   the argument that includes have the same implications as doing
   this more generally, but includes can be turned off.  Also, should
   paths in the map files be real or virtual?

2) Another really cute security hole --- if a Malicious Entity can
   create map files, they can declare a CGI script to be a text/plain
   view of something, and retrieve its source code that way.  (Then
   again, .htaccess files which might contain "AddType text/plain cgi"
   offer the same --- how shall I say --- *opportunity*).
  
3) Emacs backup files sometimes show up as unwanted text/plain views
   (for text/plain, read whatever your DefaultType is).  It's tempting
   for me to have MultiViews search ignore anything which is
   IndexIgnored.  On the other hand, this may be a use for something
   which I've wanted for a while, a TotallyIgnore directive, which
   would keep the server from acknowledging the existance of files
   with a given suffix in any way (including retrieving it).

   (This could keep crackers from cruising a site for nearly-current
   source code by fishing for backups).

4) The code still isn't doing anything in particular to allow for
   server-side includes in HTML3.  A new magic MIME type is the
   quickest, simplest way to handle this.  Unfortunately, it's not the
   *right* way --- but it doesn't make the right thing much harder to
   implement later.

Another note will follow, with questions that came up about the
spec while I was implementing all this.

rst
  
  
  
Oh yes, here are the contents of foo.map --- I was trying to break the
parser with this; if I were trying to impress anyone with the elegance
of the syntax, it would look a little different...

  URI: foo, vary="type,encoding"
  
  #Let's get some comments in here.
  
  URI: foo.html
  # this is another comment.
  Content-type: text/html
  Content-language: fr-provencal
  
  URI: foo.au
  # Now, how about continuation lines?
  Content-type:
     audio/basic
  
  # The next example shows how you might jigger things to
  # get a compressed version shipped, if the client will take it...
  
  Uri: foo.gif.Z
  Content-type: image/gif; qs = 0.8
  Content-encoding: gzip
  
  uri: foo.gif
  Content-type: image/gif; qs = 0.5
  
  URI: foo.html3
  Content-type: text/html;
  # Comments can appear in the STRANGEST places.
     level = 3
  # Even here.
  Content-language: en
  Content-encoding: 8bit
  #and here
  
  URI: foo.txt
  Content-type: text/plain
  

Mime
View raw message