Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid failing HTTP/2 requests with upgrade-insecure-requests #12799

Merged
merged 1 commit into from Sep 13, 2022
Merged

Avoid failing HTTP/2 requests with upgrade-insecure-requests #12799

merged 1 commit into from Sep 13, 2022

Conversation

chrisvest
Copy link
Contributor

Motivation:
This is a non-standard header that is not explicitly called out as connection related, even though it can be argued that it is. Regardless, Chrome and Firefox do actually send this header in their HTTP/2 requests, so rejecting these is quite troublesome. Safari doesn't send this header.

Modification:
Remove the check for upgrade-insecure-requests in the header validation in HpackDecoder. Also update tests to match.

Result:
HTTP/2 requests from Chrome and Firefox are no longer rejected by the header validation.

Fixes #12798

@chrisvest
Avoid failing HTTP/2 requests with upgrade-insecure-requests
1d33e17 
Motivation:
This is a non-standard header that is not _explicitly_ called out as connection related, even though it can be argued that it is.
Regardless, Chrome and Firefox do actually send this header in their HTTP/2 requests, so rejecting these is quite troublesome.
Safari doesn't send this header.

Modification:
Remove the check for `upgrade-insecure-requests` in the header validation in HpackDecoder.
Also update tests to match.

Result:
HTTP/2 requests from Chrome and Firefox are no longer rejected by the header validation.

Fixes netty#12798
@chrisvest chrisvest added this to the 4.1.82.Final milestone Sep 13, 2022
@normanmaurer normanmaurer merged commit 570c5d7 into netty:4.1 Sep 13, 2022
@normanmaurer
Copy link
Member

@chrisvest can you port this to main as well

chrisvest added a commit that referenced this pull request Sep 13, 2022
@chrisvest
Avoid failing HTTP/2 requests with upgrade-insecure-requests (#12799)
733266c 
Motivation:
This is a non-standard header that is not _explicitly_ called out as connection related, even though it can be argued that it is.
Regardless, Chrome and Firefox do actually send this header in their HTTP/2 requests, so rejecting these is quite troublesome.
Safari doesn't send this header.

Modification:
Remove the check for `upgrade-insecure-requests` in the header validation in HpackDecoder.
Also update tests to match.

Result:
HTTP/2 requests from Chrome and Firefox are no longer rejected by the header validation.

Fixes #12798
@chrisvest
Copy link
Contributor Author

Ported

@chrisvest chrisvest deleted the 41-h2-header-validation-fix branch September 13, 2022 17:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@normanmaurer normanmaurer Awaiting requested review from normanmaurer

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
4.1.82.Final
Development

Successfully merging this pull request may close these issues.

Chrome/Firefox send upgrade-insecure-requests header
2 participants
@chrisvest @normanmaurer