Change Reserved to unmodified HTTP header-field #2466
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Propagate unmodified header fields in the previously Reserved and undefined 4th element of the http_header tuple. *Why do we need this new feature?* While Section 4.2 of RFC 2616 for HTTP/1.1 states that Field names are case-insensitive, some non-compliant web services may rely on peculiar casing of Field names. Such web-services cannot be accessed through a Proxy-server, that is implemented in Erlang/OTP, certainly not over HTTPS. Despite the RFC, even the IANA lists a number of permanently registered headers in all-caps or mixed-cased format, e.g.: ALPN, HTTP2-Settings, WWW-Authenticate, etc. This leads to confusion and to service implementations, that only accept headers formatted the same way. A production issue was experienced using the common, drafted, but not yet standard header: DNT. There are a number of HTTP servers implemented in Erlang that could be used in a Proxy implementation. However, there is none that would respect header-casing. * cowboy, httpd - their header parser lower-cases the fields * yaws - emulators' internal HTTP header parsing via ssl/inet * mochiweb, elli - both use erlang:decode_packet/3 As a side note: An HTTPS-Proxy requires CONNECT method support. Therefor cowboy is not a real option despite its popularity. With this proposal yaws, mochiweb and elli could all be patched to respect casing of header fields and propagate the original header format to the application level modules. The DNT header issue was experienced using a patched mochiweb. *Risks or uncertain artifacts?* These changes are minimalistic and backward compatible, given application developers respected the documentation. All above mentioned http servers do so, they ignore the 4th element of http_header tuple. It was verified in the master branches of the project repositories. *How did you solve it?* The proposal is that packet_parser.c should also propagate unmodified fields to both inet_drv.c and erl_bif_port.c, where these would be put in the 4th place of the http_header tuple. Its recognised, that this element was Reserved for future and/or internal use. Hopefully you'd agree, that sending the original header fields is a productive use-case to free up the reservation. Adding a new httph_cs option, cs for case-sensitive, was also considered. I got the impression thought, that these these packet decoders exit for compatibility reasons only and the OTP-Team is not keen on adding new options.
|
|
|
Yes, this is a much better approach. It just needs some updates to the docs and should be good. |
|
Thanks for the feedback @garazdawi. Both |
|
While I was searching through |
Agreed. Good initiative, thanks. Putting it in testing over the weekend. |
garazdawi
added
testing
garazdawi
reviewed
Dec 6, 2019
garazdawi
removed
the
testing
garazdawi
added
the
testing
|
Hey @garazdawi , thanks for merging this in
|
There will only be a couple of months difference between the 22.3 release and 23.0, so I think the risk outweighs the rewards. It is already too late for 22.2. |
Good to hear that. Thanks! |
tank-bohr
added a commit
to tank-bohr/bookish_spork
that referenced
this pull request
Apr 3, 2021
- Lowercase method atoms - Use binaries both for header names and values - Introduce `raw_headers` which preserve headers case and order. [erlang/otp#2466](erlang/otp#2466) allows to keep headers case - Some documentation updates - Update deps
tank-bohr
added a commit
to tank-bohr/bookish_spork
that referenced
this pull request
Apr 3, 2021
- Lowercase method atoms - Use binaries both for header names and values - Introduce `raw_headers` which preserve headers case and order. [erlang/otp#2466](erlang/otp#2466) allows to keep headers case - Some documentation updates - Update deps
tank-bohr
added a commit
to tank-bohr/bookish_spork
that referenced
this pull request
Apr 3, 2021
- Lowercase method atoms - Use binaries both for header names and values - Introduce `raw_headers` which preserve headers case and order. [erlang/otp#2466](erlang/otp#2466) allows to keep headers case - Some documentation updates - Update deps - Update CI to run tests inside docker container
tank-bohr
added a commit
to tank-bohr/bookish_spork
that referenced
this pull request
Apr 3, 2021
- Lowercase method atoms - Use binaries both for header names and values - Introduce `raw_headers` which preserve headers case and order. [erlang/otp#2466](erlang/otp#2466) allows to keep headers case - Some documentation updates - Update deps - Update CI to run tests inside docker container
tank-bohr
added a commit
to tank-bohr/bookish_spork
that referenced
this pull request
Apr 3, 2021
- Lowercase method atoms - Use binaries both for header names and values - Introduce `raw_headers` which preserve headers case and order. [erlang/otp#2466](erlang/otp#2466) allows to keep headers case - Some documentation updates - Update deps - Update CI to run tests inside docker container
tank-bohr
added a commit
to tank-bohr/bookish_spork
that referenced
this pull request
Apr 3, 2021
- Lowercase method atoms - Use binaries both for header names and values - Introduce `raw_headers` which preserve headers case and order. [erlang/otp#2466](erlang/otp#2466) allows to keep headers case - Some documentation updates - Update deps - Update CI to run tests inside docker container
tank-bohr
added a commit
to tank-bohr/bookish_spork
that referenced
this pull request
Apr 3, 2021
- Lowercase method atoms - Use binaries both for header names and values - Introduce `raw_headers` which preserve headers case and order. [erlang/otp#2466](erlang/otp#2466) allows to keep headers case - Some documentation updates - Update deps - Update CI to run tests inside docker container
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Propagate unmodified header fields in the previously Reserved and
undefined 4th element of the http_header tuple.
Why do we need this new feature?
While Section 4.2 of RFC 2616 for HTTP/1.1 states
that Field names are case-insensitive, some non-compliant
web services may rely on peculiar casing of Field names.
Such web-services cannot be accessed through a Proxy-server,
that is implemented in Erlang/OTP, certainly not over HTTPS.
Despite the RFC, even the IANA lists a number of permanently
registered headers in all-caps or mixed-cased format,
e.g.: ALPN, HTTP2-Settings, WWW-Authenticate, etc.
This leads to confusion and to service implementations,
that only accept headers formatted the same way.
A production issue was experienced using the common, drafted,
but not yet standard header: DNT.
There are a number of HTTP servers implemented in Erlang
that could be used in a Proxy implementation. However,
there is none that would respect header-casing.
As a side note: An HTTPS-Proxy requires CONNECT method support.
Therefor cowboy is not a real option despite its popularity.
With this proposal yaws, mochiweb and elli could all be patched
to respect casing of header fields and propagate the original
header format to the application level modules.
The DNT header issue was experienced using a patched mochiweb.
Risks or uncertain artifacts?
These changes are minimalistic and backward compatible,
given application developers respected the documentation.
All above mentioned http servers do so, they ignore the 4th
element of http_header tuple. It was verified in the master
branches of the project repositories.
How did you solve it?
The proposal is that packet_parser.c should also propagate
unmodified fields to both inet_drv.c and erl_bif_port.c,
where these would be put in the 4th place of the http_header
tuple. Its recognised, that this element was Reserved
for future and/or internal use. Hopefully you'd agree, that
sending the original header fields is a productive use-case
to free up the reservation.
Adding a new httph_cs option, cs for case-sensitive, was also
considered. I got the impression thought, that these these
packet decoders exit for compatibility reasons only and
the OTP-Team is not keen on adding new options.
That said I'm happy to add a
httph_csandhttp_bin_cs,if that is what is need for the merge to happen.
PS: A related Rejected PR from a colleague.