-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding more bogus header values #2045
Adding more bogus header values #2045
Conversation
Critic review: https://critic.hoppipolla.co.uk/r/5681 This is an external review system which you may optionally use for the code review of your pull request. In order to help critic track your changes, please do not make in-place history rewrites (e.g. via |
I think disallowing setting the value to a single space (or any other ws character) is OK - but are we really sure it's web compatible to disallow leading and trailing spaces? I'd rather tell the RFC author to relax that requirement.. |
@annevk thoughts? |
@Ms2ger points out https://www.rfc-editor.org/errata_search.php?rfc=7230&eid=4189%3E - thanks! Also, I note that RFC7230 says
(See 3.2.4. Field Parsing) So, since the RFC doesn't forbid sending those spaces over the wire the question is whether an author saying |
Agreed, the question is more at XHR level than at RFC level. |
See also https://www.w3.org/Bugs/Public/show_bug.cgi?id=27797. The discussion in the WebKit bugs is a bit unclear to me. ap is referring to a specification change, but this time WebKit actually changed ahead of any specification changes. We could make |
My first impression was that it's too risky to start throwing exceptions for input nobody was throwing exceptions for until now. I've done some more testing of the current state of implementations, and we have an interesting range of behaviours:
So setting a header to whitespace only is sort of a hack solution for "removeRequestHeader()" being missing, and I guess a few sites have discovered this and use it as such. It's also extremely likely that there are some typos and minor bugs out there adding ws before or after values - harmless stuff that would break if we start throwing. Ergo: I think we should not start mandating exceptions for whitespace in the header value. I think either IE's or Chrome's behaviour can be standardised, although perhaps Chrome's is a tad less surprising to a web developer. @annevk agree? |
We should have a way to have a header with an empty value so 1/2 make the most sense. Stripping on both sides is probably somewhat better? It's a bit unclear to me if this should affect the |
IMHO stripping on only one side just looks odd, inconsistent :-p. So let's align with Chrome. @youennf - could you change the PR? It would be nice to have a new test based on XMLHttpRequest/setrequestheader-allow-empty-value.htm to verify that ws is removed instead of the changes we have now. |
Sounds good to me. |
It may also be worth investigating how the XHR header combine rule works with empty strings. |
Why, isn't |
Digging a little bit more the issue, setting a "Content-Type" with the empty value is not in a very good shape. As can be read in https://bugs.webkit.org/show_bug.cgi?id=147445, one web app is currently using " " as "Content-Type" value. They are migrating to application/octet-stream which makes more sense but are still using it currently. I think the browser should try to honor what the web app wants (or maybe throw an exception). Changing the value behind the scene seems strange, especialy the combined value. |
Combine semantics only take effect if the developer sets a header twice. The user agent is only supposed to add |
Agreed. |
Adding more bogus header values
great, thanks @youennf |
@youennf would you like to be added as Youenn Fablet to the acknowledgments section of the Fetch and XMLHttpRequest Standards? Or rather as youennf? |
Thanks for asking. |
WebKit tightened a bit header values checking based on RFC 7230 rules.
Related bug entry is https://bugs.webkit.org/show_bug.cgi?id=128593.
The " " header value specific case is discussed in https://bugs.webkit.org/show_bug.cgi?id=147445 as some sites actually use it.