Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add connection header to excluded sigv4 headers #2606

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

add connection header to excluded sigv4 headers #2606

wants to merge 2 commits into from

Conversation

shulin-sq
Copy link

context: #2594

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Connection

connection is a hop by hop header that is expected to be stripped by the server. It is already excluded in the java sdk and should be excluded here as well.

@shulin-sq shulin-sq requested a review from a team as a code owner April 12, 2024 03:26
@lucix-aws
Copy link
Contributor

What exactly does this fix? I get that Java is doing it but it's still a behavior change for us. Behavior changes, especially around signing, come with risk. An explanation or really a concrete example of why this matters helps us to be sure we're doing the right thing here.

@lucix-aws lucix-aws added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Apr 18, 2024
@shulin-sq
Copy link
Author

@lucix-aws hello thank you for the response. As per the issue/discussion post I linked, this was a legitimate issue we ran into when trying to perform sigv4a signing with this library.

I liked an explanation from my coworker which I am going to steal: "the reason Connection should not be included in signature calculations is because it is a hop-by-hop header. that means that individual hops between your client and the aws service api (e.g. forward proxies, CDNs, reverse proxies, etc) are expected to drop the header. so even if the header was sent by your client, it wasn't received by the aws server that did signature validation"

I do wish that the java sdk left a bit more documentation around why this header was excluded so that this is easier to understand.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Apr 20, 2024
@shulin-sq
Copy link
Author

@lucix-aws are there any other concerns?

@lucix-aws
Copy link
Contributor

Yes - your justification is completely sound on spec, and if I was releasing this today I would elect to include this change, but as it stands I still don't understand what this is actually fixing. Based on some rudimentary local testing we don't appear to be setting a Connection header in the SDKs to begin with.

Behavior changes, especially around signing, come with risk

To expound - this change in behavior affects everybody using the v2 SDK or its sigv4 implementation. We have no real way of knowing whether something out there that consumes this software would be broken by the newly unsigned/un-canonicalized header. I would really rather not touch signing in this way unless absolutely necessary.

As it stands if I took this patch I would be assuming the risk without any understanding of the benefit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@shulin-sq @lucix-aws