GNOME Bugzilla – Bug 792176
Case of request headers depends on global state
Last modified: 2018-09-21 16:33:41 UTC
Originally filed in https://bugs.webkit.org/show_bug.cgi?id=179475 http://w3c-test.org/fetch/api/basic/request-headers-case.any.html soup_message_headers_append interns the header name case-insensitively, and always uses the casing it got in the first call. This means that fetch("..", {headers: [["TEST", 1]] }) fetch("..", {headers: [["test", 1]] }) will the same header name twice. The name might be "TEST", or it might be any other casing which any other web page has used during the runtime of the browser. This also provides a way of cross-origin communication: if a web page A uses a sufficiently unique header name in a particular casing, another web page B can check if page A was loaded before page B by checking what happens when using the header name in a different casing.
From https://bugs.webkit.org/show_bug.cgi?id=179475#c2 > danw the "cross-origin communication" idea seems a little crazy, but people > have done crazier stuff... I'd say file a libsoup bug yeah. you can't just > change intern_header_name to be non-case-sensitive though. that would definitely break things > > mcatanzaro What sort of things? > > danw eg, when you call soup_message_headers_get_content_type(), it has to > return the content type whether it was specified as "Content-Type" or "CONTENT-type" > I guess if you want to fix it, the fix would be to not intern header names at > all. just copy both name and value, and use g_ascii_strcasecmp() rather than > pointer equality to compare header names when needed Would it be reasonable to down-case the header names before interning them?
If you just downcased the header names before interning them and then didn't make any other changes, then that would cause libsoup to always send header names fully-downcased: GET /index.html HTTP/1.1 host: example.com accept-encoding: gz cookies: BLAH=blah There is nothing theoretically wrong with this, but it looks weird. :-). But also, this is the web, so the fact that there is nothing *theoretically* wrong with it doesn't mean that there's nothing *actually* wrong with it. If you Titlecased each word rather than lowercasing them, that would be better. (It would get a few things like "Content-MD5" wrong, but, eh.)
Okay, I confess not to have looked in detail what the interning is useful for. Is it something we can really wipe out? What was the point of it? Saving comparison time?
Yeah, it's just so that checks for various specific headers can be done with pointer equality rather than string comparison. You could get rid of that optimization.
-- GitLab Migration Automatic Message -- This bug has been migrated to GNOME's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.gnome.org/GNOME/libsoup/issues/111.