As designed Behavior of Accept-Header not rfc7231 compliant?

[ForumGeek]

Affected version

2.2.13

Hi,

when using the somewhat exotic but not forbidden Accept header

Accept: */*, image/avif

on a text/html output (for example the forum homepage) Xenforo produces a 406 error.

This is not the case when using either

Accept: */*, text/html, image/avif

or

Accept: */*

which both return a 200 code as expected.

I can understand that the header combination "Accept: /, image/avif" implies that an image is expected, however referring to RFC 7231 the wildcard "/" should always return a 200 code when requesting text/html content.

 

[Jeremy P]

Some GET requests can have minor side effects (content read marking, page view counts), or be computationally expensive. If you falsely embed these requests as images somewhere (ie. <img src="https://xenforo.com/community/">), they can cause unintended behavior for users or become a DDoS vector.

XenForo attempts to detect this situation and inhibit the request. Browsers send the wildcard in most requests, including embedded image requests, so it cannot be used to reliably determine that a request is not an embedded image request. This tends not to be a problem in practice, as the request is allowed if the header either explicitly contains text/html or some other value that does not start with image/.

In the time since this was implemented, better methods of mitigating this have become available (SameSite cookies, Sec-* headers), but it is a little too early to reevaluate the approach just yet.