Skip to content

Ensure that browsers never send a malformed request except by explicit request from scripts #1822

Open
@DemiMarie

Description

@DemiMarie

What is the issue with the Fetch Standard?

The Fetch Standard allows field values to contain control characters that are not valid in HTTP. In HTTP/2 and later, this makes a request malformed, and servers are required to close the stream. If it is possible for a header that the user agent sends automatically to have an invalid value, this could cause problems. For instance, setting a Cookie header with an invalid value could prevent the user from navigating to a website. Furthermore, the handling of fields with invalid values differs between server implementations: HAProxy and NGINX are permissive, Varnish is strict, and nghttp3 silently discards headers if the field has an invalid value. Envoy goes further and closes the entire connection.

To avoid such problems, it would be best to ensure that invalid HTTP field values are only ever sent by explicit request from scripts, and only for fields that scripts have complete control over the values of. This ensures two useful properties:

  1. Requests will always be well-formed unless a script explicitly chooses to make a malformed request.
  2. Regardless of how servers handle malformed values, information that is under the control of the user agent will be received correctly.

If these properties are already ensured, it would be useful to document this.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions