Remove trailing whitespace from HTTP headers #53005
Comments
brianquinlan
added
library-io
breaking-change-request
|
I don't think http client library should be in business of trimming and cleansing header values, should not attempt to apply semantic meaning to them. It should try to get content it received into developers hands as is and let them decide whether to trim values or not. |
We already normalize the header name for case. We also remove leading whitespace from the field value.
No. But I suspect that is because most servers do not append additional whitespace to field values. |
a-siva
added
the
area-core-library
Normalizing header name is kind of different thing compared to "normalizing" the value(note also that we do have an option |
Could you summarize as to why this is important and what potential pitfalls you see from the removal of trailing whitespaces from HTTP headers. |
|
As already mentioned "RFC 2616 section 4.2 specifically says that leading and trailing whitespace is not semantic", so any intermediate (cache server, proxy server, etc.) MAY already remove this whitespace. So in practice one can not rely on whitespace added by the server being preserved anyway. The current behavior in principle require trimming all header values which seems error prone. |
|
@a-siva wrote
When dart developer controls both server and client they might want to use trailing spaces as they are not prohibited by the RFC. Also it is hard to rule out possibility of some legacy server sending out trailing spaces as part of the header value content. Note #33501 that resulted in dart HttpHeaders https://datatracker.ietf.org/doc/html/rfc2616#section-4.2 talks about several things that MAY happen to the content(trimming of leading/trailing WS, longer WS sequences replaced with single WS, combination of multiple header values into single comma-separated list) - I don't think we have done none of that so far(well, except of leading WS). If we implement trimming of trailing WS, It would be good to clarify our strategy with other items. |
|
Checking in, have we come to a decision here, or is this still being worked through? |
|
We are ready for approval. |
|
SGTM. I can see this potentially impacting our internal web development workflow but we should have sufficient E2E coverage to catch any issues. |
|
fine by me |
|
lgtm |
I'm not very familiar with CBUILD but I assume it doesn't do a TGP? I'm concerned about our internal workflows as we have a handful of Dart based web servers / tools. Any issues will hopefully be caught when this change is rolled into Google3 though. |
|
@grouma I don't know much about CBUILD but you seem to be right - it tests <5,000 Google3 targets. |
Bug: #53005 Bug: #51532 Change-Id: I8a2fc04f48d50103819d655ccd300e73d59fbecc Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/319903 Reviewed-by: Alexander Aprelev <aam@google.com> Commit-Queue: Brian Quinlan <bquinlan@google.com>
Change Intent
The intent of this change is to make the headers field values contained (through
HttpHeaders) inHttpRequestandHttpClientResponsenever contain trailing spaces and tabs.For example, an HTTP request like:
Would be parsed like:
Justification
It is easier to write correct code if the whitespace has been removed from the field values.
The Dart HTTP parser itself has issues with trailing whitespace. For example, the chunked content encoding detector currently checks for the exact string
'chunked'rather than for'chunked[ \t]*'.RFC 2616 section 4.2 specifically says that leading and trailing whitespace is not semantic:
Finally, this behavior would be consistent with the behavior of
XMLHTTPRequest(dart:htmlHttpRequest) , Cronet (package:cronet_http) and Apple's Foundation URL loading system (package:cupertino_http).Impact
There are three scenarios that I can imagine:
if (header['header-a'] == 'cat') ...if (header['header-a'].trim() == 'cat') ...if (header['header-a'] == 'cat \t ') ...I'm guessing that case (1) is the most common and case (3) is the least common.
Mitigation
I think that this is unlikely to have significant impact.
The text was updated successfully, but these errors were encountered: