-
-
Notifications
You must be signed in to change notification settings - Fork 15.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HttpConversionUtil - Incorrect conversion of Cookie header #4457
Comments
@Scottmitch @nmittler please have a look guys :) |
I wonder if @Scottmitch WDYT? |
@nmittler +1 |
@nmittler - As far as I can tell, that won't work. What is true for one header is not necessarily true for others. Specifically I can think of the |
Yup, looking at https://tools.ietf.org/html/rfc7230#section-3.2.2 ...
And as described in http://tools.ietf.org/html/rfc6265#section-5.4: @blucas Are you saying that Chrome is sending multiple |
+1 for not merging headers 😃 @nmittler I haven't checked that yet. My assumption is that it is a Netty related issue, as Firefox is also affected by this. I will check now and get back to you |
Ok, so I still don't know if it is the browser's or netty's (possibly twitter hpack's) fault. All I can tell you is
Maybe @Scottmitch could shed some light on this one? BTW, looking at chrome://net-internals for the request generated this stack:
Chrome did the |
@blucas - Can you post your server code somewhere (or some reduced set of it)? I just modified the example http2 helloworld server and client to both use the HTTP/1.x translation layer and added a cookie from the client (
It looks like CSV headers are preserved ( |
@Scottmitch - I don't have a reproducer handy for you to test with, but all you need to do is make your HTTP/2 client send multiple
No. We shouldn't force everything to use single CSV. I took a look at the HTTP/2 spec, and finally think I've found what I'm trying to explain.
So, according to the spec, it is perfectly valid for a HTTP/2 client to send multiple
So I interpret that as Netty's
I hope that makes more sense 😃 |
@Scottmitch - gentle ping :) |
@Scottmitch ^^ |
@blucas - Sorry for the delay and thank you for the reference to the specification. I will submit a PR soon. |
Motivation: The HTTP/2 RFC allows for COOKIE values to be split into individual header elements to get more benefit from compression (https://tools.ietf.org/html/rfc7540#section-8.1.2.5). HttpConversionUtil was not accounting for this behavior. Modifications: - Modify HttpConversionUtil to support compressing and decompressing the COOKIE values Result: HttpConversionUtil is compatible with https://tools.ietf.org/html/rfc7540#section-8.1.2.5) Fixes netty#4457
Motivation: The HTTP/2 RFC allows for COOKIE values to be split into individual header elements to get more benefit from compression (https://tools.ietf.org/html/rfc7540#section-8.1.2.5). HttpConversionUtil was not accounting for this behavior. Modifications: - Modify HttpConversionUtil to support compressing and decompressing the COOKIE values Result: HttpConversionUtil is compatible with https://tools.ietf.org/html/rfc7540#section-8.1.2.5) Fixes #4457
Netty Version: master (latest snapshot: a6816bd)
The browser (I used Chrome 46.0.2490.80 for testing) sent an HTTP/2 request containing multiple cookies to a netty service, the
HttpConversionUtil
generated multipleCookie
header entries in the HTTP/1.x request. According to one stackoverflow post, this is incorrect behaviour. TheHttpConversionUtil
should generate a singleCookie
header containing all cookie values.// cc @Scottmitch @nmittler - I could provide a patch, but I'm not too sure the best approach to take. Considerations about how to extract the cookies, and reformat them into a single header have to be made. If you could give me some tips, I might be able to come up with a PR.
The text was updated successfully, but these errors were encountered: