I was digging through my Apache httpd access logs the other day and noticed that a particular Firefox user was hitting my favicon over and over. In fact, it seemed to be making the request every 10 seconds or so. At this point, I'm sort of assuming that someone's Firefox has just gone bonkers. But, there was something that caught my eye:
x.x.x.x - - [26/Apr/2011:23:29:54 -0500] "GET /favicon.ico HTTP/1.0" 304 - "-" "Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-GB; rv:18.104.22.168) Gecko/20110318 Red Hat/3.6-1.el5_6 Firefox/3.6.15"
Notice that the server is returning a 304 status code (the part right after
"GET /favicon.ico HTTP/1.0"). A 304 status code means that the browser asked if there was a newer version of the file, and the server responded that there was none. Here's a look at the HTTP request (I've chomped out a few bits that I thought revealed a bit too much about the user):
GET /favicon.ico HTTP/1.0 Host: slaptijack.com User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-GB; rv:22.214.171.124) Gecko/20110318 Red Hat/3.6-1.el5_6 Firefox/3.6.15 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-gb,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 If-None-Match: "34b0e6-115-fd0a9f00" Cache-Control: max-age=259200 Connection: keep-alive
What you see above is a conditional GET. The
If-None-Match: "34b0e6-115-fd0a9f00" header tells the web server to only send the file if the entity tag (ETag) is different. If the entity tag hasn't changed, then the browser already has the latest copy of the file. By the way, I used a combination of tcpdump and wireshark to grab and view the HTTP request.
At this point, I see no reason to stop whatever the user is doing.