setRequestHeader behavior doesn't seem to match implementations #108
Comments
|
Oh, and of course if the spec changes here the XMLHttpRequest/setrequestheader-case-insensitive.htm web platform test needs to get updated. |
|
I expect XMLHttpRequest/setrequestheader-header-allowed.htm has the same issue.... |
|
One other note. At least in the case of Gecko, this is all handled in the underlying networking library, not XHR itself. Which means the "separate with comma and space" is general behavior for headers, and applies to fetch at the moment, and to any network requests that Gecko makes, including ones we don't have ported to be on top of fetch yet. I would not be surprised if the situation in other engines is similar. So it might make the most sense to change this in fetch after all... |
|
I think when I last looked at this Necko wasn't consistent in how it used spaces for various headers. And other browsers weren't either. Might have been |
|
It all depends on how the headers are set. If the header is set all at once to some string with commas and no spaces in it, then that's the string that will get sent. That's the Accept-Encoding situation: it's set all at once. But if the header is set multiple times with the same header name and multiple values and the coalescing into a single comma-separated list happens inside the networking library, then the spaces will be there. Just like if you do (in the current spec): you get a different value sent than if you do: |
|
The coalescing in WebKit is not consistent either, the underlying libraries usually implementing " ". |
|
s/implementing " "/implementing ", "/ |
I understand that. And in theory. :( In practice, lots of places seem to have custom processing of all sorts for XHR-sent headers. :( |
|
@youennf punting to RFC 7230 would be great, if it defined operations for this that everyone aligned on. However, that's not really their style. They're okay with A and B being semantically equivalent and not requiring a particular serialization. In any event, I guess I'll change this in Fetch to include the space. |
|
Okay, so we basically want to revert whatwg/fetch#207. |
|
So Fetch mentions
So in part I'd like to know how much inconsistency we want here. We can go with what the majority does I suppose, but we'll have to add some notes here and there to explain that is what we're doing, since casual onlookers will find it weird. |
|
It looks to me like Firefox uses What do other UAs do for Yes, the inconsistencies are a bit annoying, I agree. |
|
Chrome and Safari also do |
|
And per |
|
I just realized |
|
Of course, no tests exist for those. |
|
I'm pretty sure that getResponseHeader in Gecko separates with |
|
Seems that |
|
Current thinking, assuming the goal is maximum compatibility with deployed rather browsers, rather than a coherent whole:
Updating tests first... |
|
So I created this response to test HTTP/1.1 200 YAYAYAYA
foo-TEST: 1
FOO-test: 2
ALSO-here: Mr. PB
ewok: legoSafari ends up with FOO-test, Chrome and Firefox with foo-TEST. Sorting is different. Most other details are the same, including ending in \r\n which goes against the current standard. |
|
What's tricky about this test is that if we don't lowercase header names and sort them, all kinds of underlying HTTP library stuff gets exposed. Given that browsers are different, it seems reasonable to still try to change that? |
See whatwg/xhr#108 for context.
|
If you want to view my test and test changes: web-platform-tests/wpt#4641. |
I'm not sure what you mean. Don't both include both headers? I just went through the Firefox code for this stuff and at first glance we don't do any case-folding anywhere in there, but I might just be missing something..... |
|
Oh, I see, actually. We do kinda do case-folding but it's rather bizarre. When we first see a header name, we intern it; the key is the header string and the interned value represents that string. Later if we need to intern a header name, we look it up in the interning hashtable and this check does a case-insensitive match on the key, but returns whatever the value is. So afaict once we see a "foo-TEST" header we will treat all header names that are just different casings of it as "foo-TEST" or so. |
|
@youennf so in whatwg/fetch#189 you asked for header ordering to be defined as lexicographical. However, what do you suggest we do for |
|
Would it make sense to separate the issue between request headers and response headers? |
|
I'm fine with separating them, I filed #109 on the response headers, but I'd like to solve them all together. |
Safari TP doesn't run on my OS, so yes... I should have tested WebKit nightly, though.... |
|
Note to self: update web-platform-tests/wpt#4956 once I figure out what to do here. |
Unfortunately as established in whatwg/xhr#108 setRequestHeader() uses `, ` whereas fetch() uses `,` as value separator. This introduces a legacySpaceFlag for combine that XMLHttpRequest and WebSocket can use. New code and CORS (in Access-Control-Request-Headers) can continue not passing this flag. Tests were fixed in web-platform-tests/wpt#5008.
Depends on whatwg/fetch#501. Tests have been updated already. Fixes #108.
|
Steps I've taken thus far:
|
|
(I'm still assuming that Safari TP wants to change back here.) |
|
Filed https://bugs.webkit.org/show_bug.cgi?id=169285 on WebKit for this. Will likely land all the standard changes tomorrow. |
In particular, setRequestHeader() should use 0x2C 0x20 as separator (not just 0x2C) and get(All)ResponseHeader(s)() should do so too. The latter also always needs to end in 0x0D 0x0A rather than omitting it at the end. This depends on whatwg/fetch#504 landing first. Tests: web-platform-tests/wpt#4641 and web-platform-tests/wpt#5008. Fixes #108 and fixes #109.
Instead of just 0x2C, use 0x2C 0x20 somewhat consistently (except where we can't and point it out) as that is what XMLHttpRequest implementations have always done and nobody likes too much change. Fixes the Fetch part of whatwg/xhr#108 and whatwg/xhr#109.
|
So after discussion with the WebKit folks the plan has become to try and reconcile XMLHttpRequest and Fetch, aligning both on what XMLHttpRequest already did. New bugs filed: https://bugzilla.mozilla.org/show_bug.cgi?id=1346313 and https://bugs.chromium.org/p/chromium/issues/detail?id=700434. |
Instead of just 0x2C, use 0x2C 0x20 somewhat consistently (except where we can't and point it out) as that is what XMLHttpRequest implementations have always done and nobody likes too much change. Tests: web-platform-tests/wpt#5115. Fixes the Fetch part of whatwg/xhr#108 and whatwg/xhr#109.
In particular, setRequestHeader() should use 0x2C 0x20 as separator (not just 0x2C) and get(All)ResponseHeader(s)() should do so too. The latter also always needs to end in 0x0D 0x0A rather than omitting it at the end. This depends on whatwg/fetch#504 landing first. Tests: web-platform-tests/wpt#4641, web-platform-tests/wpt#5008, and web-platform-tests/wpt#5115. Fixes #108 and fixes #109.
If you look at http://w3c-test.org/XMLHttpRequest/setrequestheader-case-insensitive.htm it fails in all of Safari, Chrome, Firefox, and Edge. The test is doing this:
which asserts that the value of the "x-test" header that was sent to the server is "t1,t2,t3". In Safari, Chrome, Firefox, and Edge the value is "t1, t2, t3" (with spaces after the commas).
This sort of thing has come up before (e.g. whatwg/fetch#422)...
@annevk I don't know whether you want to fix this in XHR or in fetch or whether you think all browsers should change here or what...
The text was updated successfully, but these errors were encountered: