Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: CanonicalHeaderKey capitalization is non-conformant with RFC 6455 #18495

Closed
shosti opened this issue Jan 2, 2017 · 1 comment

Comments

Projects
None yet
3 participants
@shosti
Copy link

commented Jan 2, 2017

What version of Go are you using (go version)?

go version go1.7.4 linux/amd64

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/shosti/go"
GORACE=""
GOROOT="/usr/lib/go"
GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build649225145=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"

What did you do?

Minimal reproduction: https://play.golang.org/p/jMuUMK5TDL

What did you expect to see?

According to RFC 6455, headers for WebSocket upgrades are capitalized as Sec-WebSocket-* (e.g. Sec-WebSocket-Key). CanonicalHeaderKey should canonicalize those headers to be compliant with the spec.

What did you see instead?

CanonicalizeHeaderKey returns header keys capitalized as Sec-Websocket-* (without the uppercase S in Socket).

While this may not seem like a big deal, I've encountered real-world servers that rely on the correct capitalization (obviously not a good idea). It's especially problematic because all HTTP request parsing canonicalizes the header keys. This has led to some pretty severe issues with a proxy server I had running in production that had to forward WebSocket requests to arbitrary servers.

@bradfitz

This comment has been minimized.

Copy link
Member

commented Jan 2, 2017

Dup of #18476 #18196 #5022 etc

I don't think we're going to do anything here. RFC 6455 can't mandate the case of headers, since HTTP/1 says that they're case insensitive. And in HTTP/2 there is no case on the wire.

Sorry. I don't want to complicate Go and encourage buggy libraries from assuming case.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.