Add an error message warning developers of oversized headers. #10877
Conversation
An explanation of the issue being logged can be found here: https://forums.meteor.com/t/meteor-1-8-1-unexpected-error-too-many-csp-rules/48447/12.
|
LGTM, but maybe we should set |
|
@sebakerckhof That's a good point. I pushed a change to address it. |
|
Thanks. Just to make sure: you intended for this to only work in development mode (and not in a deployment?) |
|
Hmm actually I had intended the logs to show up both in development and production, since the issue could occur in both places. I'm fine putting it behind a flag, though, since developers would likely discover the issue while in development mode. |
|
As it is, it will currently only run in development mode, since the place you put it in (run-proxy) is only for development purposes. Basically this is a proxy server in front of the actual Meteor application server which handles a couple of things like error pages, requests during rebuilds etc. I think (= haven't tested, just by looking at the code), since it passes by this proxy server first in dev mode, you would need to have the changes here anyway. And have the same changes somewhere in the webapp package for production mode. |
|
Gotcha -- thanks for the thorough explanation. I will do some investigating to see how to address this for production builds. |
|
@sebakerckhof Hey, I looked into whether an extra check is needed elsewhere, and found that when run in a production build the max header size is not actually an issue and the client to server requests are successful. I believe this is because node's My understanding is that this is an issue for dev because of the proxy which will be sent the oversized headers from the server, and throw an error because of them. This wouldn't be an issue in production. So I think this change should be good as is, but feel free to let me know if my understanding is wrong or there is something I had not thought of. |
|
@sebakerckhof I'm just checking in. Does the above make sense? I think it should be good to go. |
|
Ok, thanks for the clarification. LGTM |
|
|
|
Thanks @shankwiler |
Currently if the headers exceed Node's set limit, the client will see a blank page with the text "Unexpected error." and nothing will be logged on the server. This PR adds a server-side log informing the developer of the cause and suggests using a node CLI option to increase the maximum allowable header size.
One scenario which leads to this error is if a project with many CSP rules upgrades from an older version of Meteor, prior to Node's reduction of the maximum allowable size from 80 KB to 8 KB (discussed here nodejs/node#24692).
This issue as it affects Meteor has been discussed here https://forums.meteor.com/t/meteor-1-8-1-unexpected-error-too-many-csp-rules/48447.