New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow header value to be an Array of String instances. #1793
Conversation
1439795
to
3e8e2ad
Compare
@jeremyevans @tenderlove Looking at the RFC, there should be no need to delete an existing cookie by scanning the list of I believe that there would be very few cases where this is actually useful behaviour. i.e. someone would have to add and then delete a cookie with the same details to hit this case. Bearing in mind, this means that every time someone deletes the cookie, it's O(N) scan, and even worse on the current implementation which has to unpack, parse and then recombine all the cookies. I'd personally like to simplify this in this PR. If someone deletes a cookie, we simply append the appropriate deletion ( The only disadvantage I can see with this is if someone sets, say, a 1MiB cookie and then deletes it, in my proposed implementation it would send still 1MiB of cookie data. I think the simplicity (and probably performance) win is big enough to justify the difference. That being said, if there are buggy behaviours that don't process |
By the way, I've also removed a bunch of |
Doing some digging, found that it looks like we did previously support header value being an Array: Lines 84 to 96 in f23e833
|
@leahneukirchen I see your first implementation here: 7ed819a#diff-cfcc6d2645b6f77c5ec05acd448f280ce3004d3dba85b8aef3b3c81faf6d1373R53-R55 It looks like you decided to delete cookies with the given name using a regexp. While I understand that it's a fairly "complete" implementation, my impression of reading the RFC is that it's unnecessary, as adding a later header with |
This is definitely better than splitting on I realize the spec says values below I'm not sure what we should do exactly, but the spec needs to be quite strongly worded with regard to the data allowed in headers, and we might want to add exceptions and checking in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm OK with the protocol change. I think we need to properly deprecate the Utils methods, unless doing so is not feasible.
@tenderlove I actually had a similar discussion and we introduced checks here as a result (which is used by Falcon): https://github.com/socketry/protocol-http1/blob/main/lib/protocol/http1/connection.rb#L160 This problem doesn’t apply to HTTP/2 w.r.t. potential security issues so I don’t bother with a similar check there. |
@tenderlove I checked this and Webrick already fails if you give it a header containing an invalid value: e.g.
Result:
So, I don't think we need to do anything here, as it's already correctly failing. WDYT? |
As @jeremyevans mentioned, if someone includes Rack 2 they will get the Rack 2 implementation, and if they include Rack 3 they will get the Rack 3 implementation. I don't think backwards compatibility is needed here?
Webrick appears to validate this internally now.
My feeling is it's better to check this in the server since it reduces the performance cost (doesn't double up on checks). |
3e8e2ad
to
5d438ee
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks mostly good, just need to modify the warn
calls.
5d438ee
to
802e9e6
Compare
Addresses #1598