-
-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Some fetch request headers don't add properly #24903
Comments
The test cases in fetch/api/basic/request-forbidden-headers.any.js are failing not because of anything to do with those three particular header names, but because the test is trying to set "" as the header values in these cases, which Servo currently disallows but should allow if it wants to pass this and some other WPT tests. servo/components/script/dom/headers.rs Lines 347 to 373 in bb5cd02
|
Servo's implementation of https://fetch.spec.whatwg.org/#dom-request successfully sets the referrer to NetTraitsReferrer::Client, but nothing else in Servo acts on that value. https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer step 3 is what's supposed to use it, but I can't find step 3 in Servo's implementation. servo/components/net/http_loader.rs Lines 210 to 212 in bb5cd02
servo/components/net/fetch/methods.rs Lines 233 to 257 in bb5cd02
|
https://github.com/servo/servo/blob/master/tests/wpt/web-platform-tests/fetch/api/headers/header-values.html and https://fetch.spec.whatwg.org/#concept-header-value indicate that a header value is allowed to contain octets that aren't even valid UTF-8. Servo definitely does not expect this, and when I change the validation code to allow it, Headers::fill crashes trying to unwrap value.to_str(). Assuming the spec and test are as intended, it will be necessary to comb for every codepath that expects header values to be legal UTF-8. Other browsers do pass this test. https://github.com/hyperium/http/blob/455f33e4d8a1e799c4081a08d912c516ce5b8680/src/header/value.rs#L12-L18 corroborates. |
forbidden-headers: Hyper seems to support empty header values, that should be fine.
WTP tests use HTTP/1.1. HTTP/2 headers are lowercase. Hyper uses lowercase headers for HTTP/1.1 by default, too, but Servo uses a config option to title case all HTTP/1.1 headers for compatibility reasons.
If you add an i for case-insensitive comparison, the test passes: assert_regexp_match(body, /THIS-is-A-test: 1, 2/i) .
|
HTTP standards often states that things like different string casing are semantically identical. My interpretation of this semantic equivalence, in terms of meeting WPT compliance goals when all major browsers already pass a given test, is that those things should have no effect on network behavior when executing HTTP protocols, but should still be preserved in a raw form and exposed verbatim to Javascript code unless the appropriate WHATWG standard says they're exposed in a normalized form. |
on the NetTraitsReferrer::Client front, #14507 comes into play. servo/components/net/fetch/methods.rs Lines 237 to 242 in bb5cd02
This in turn seems to depend on "settings objects", as also needed by e.g. #25079 |
So far we have avoided introducing an explicit settings object concept for fetches in favour of providing the data the fetch uses from them, like explicit origins. |
The compatibility concern was only about a few broken HTTP/1.1 servers: servo/components/script/dom/headers.rs Line 162 in bb5cd02
Set() and Append() lowercase header names, but Delete() and Get() do not yet. Firefox lowercases them, too. Lowercasing could be done at one place, in validate_name(). Go seems to have the same sane behavior as Hyper and gets away with it as it correctly assumed that underlying header implementations of broken servers are fixed once HTTP/2 support is added: golang/go#5022 |
hyperium/http#376 is at least one reason why we're still not passing header-values.html, though maybe not the only one. |
Header values no longer have to be ASCII or UTF-8 <!-- Please describe your changes on the following line: --> This passes some failed tests related to header validity when handling ByteStrings outside the printable ASCII range. A few failures remain because the HeaderValue class is stricter than WHATWG/WPT, disallowing various control-code bytes that the spec and tests expect to be allowed. --- <!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `___` with appropriate data: --> - [X] `./mach build -d` does not report any errors - [X] `./mach test-tidy` does not report any errors - [X] These changes fix some of the test cases described in #24903 <!-- Either: --> - [X] There are tests for these changes OR <!-- Also, please make sure that "Allow edits from maintainers" checkbox is checked, so that we can help you if you get stuck somewhere along the way.--> <!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. -->
Header values no longer have to be ASCII or UTF-8 <!-- Please describe your changes on the following line: --> This passes some failed tests related to header validity when handling ByteStrings outside the printable ASCII range. A few failures remain because the HeaderValue class is stricter than WHATWG/WPT, disallowing various control-code bytes that the spec and tests expect to be allowed. --- <!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `___` with appropriate data: --> - [X] `./mach build -d` does not report any errors - [X] `./mach test-tidy` does not report any errors - [X] These changes fix some of the test cases described in #24903 <!-- Either: --> - [X] There are tests for these changes OR <!-- Also, please make sure that "Allow edits from maintainers" checkbox is checked, so that we can help you if you get stuck somewhere along the way.--> <!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. -->
Header values no longer have to be ASCII or UTF-8 <!-- Please describe your changes on the following line: --> This passes some failed tests related to header validity when handling ByteStrings outside the printable ASCII range. A few failures remain because the HeaderValue class is stricter than WHATWG/WPT, disallowing various control-code bytes that the spec and tests expect to be allowed. --- <!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `___` with appropriate data: --> - [X] `./mach build -d` does not report any errors - [X] `./mach test-tidy` does not report any errors - [X] These changes fix some of the test cases described in #24903 <!-- Either: --> - [X] There are tests for these changes OR <!-- Also, please make sure that "Allow edits from maintainers" checkbox is checked, so that we can help you if you get stuck somewhere along the way.--> <!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. -->
Header values no longer have to be ASCII or UTF-8 <!-- Please describe your changes on the following line: --> This passes some failed tests related to header validity when handling ByteStrings outside the printable ASCII range. A few failures remain because the HeaderValue class is stricter than WHATWG/WPT, disallowing various control-code bytes that the spec and tests expect to be allowed. --- <!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `___` with appropriate data: --> - [X] `./mach build -d` does not report any errors - [X] `./mach test-tidy` does not report any errors - [X] These changes fix some of the test cases described in #24903 <!-- Either: --> - [X] There are tests for these changes OR <!-- Also, please make sure that "Allow edits from maintainers" checkbox is checked, so that we can help you if you get stuck somewhere along the way.--> <!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. -->
A few WPT tests fail because trying to put headers in a request does the wrong thing in some subcases.
fetch/api/basic/forbidden-headers: Servo stops a script from injecting an Accept-Encoding, Access-Control-Request-Headers, or Access-Control-RequestMethod header by throwing an exception, where the expected behavior is to just silently drop the header.
fetch/api/basic/request-headers-case: Nonstandard request header names are getting case-folded. I think this might be a problem with using Hyperium's implementation of HeaderMap, which is focused on holding a very "normative" form of headers and might not be appropriate for a client that exposes Web APIs.
fetch/api/basic/request-referrer: It looks like trying to set a referrer header to "about:client" sets it to null instead, instead of leaving it as the actual refererrer URL.
The text was updated successfully, but these errors were encountered: