After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 792176 - Case of request headers depends on global state
Case of request headers depends on global state
Status: RESOLVED OBSOLETE
Product: libsoup
Classification: Core
Component: Misc
unspecified
Other Linux
: Normal normal
: ---
Assigned To: libsoup-maint@gnome.bugs
libsoup-maint@gnome.bugs
Depends on:
Blocks:
 
 
Reported: 2018-01-03 16:54 UTC by Ms2ger
Modified: 2018-09-21 16:33 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description Ms2ger 2018-01-03 16:54:15 UTC
Originally filed in https://bugs.webkit.org/show_bug.cgi?id=179475

http://w3c-test.org/fetch/api/basic/request-headers-case.any.html

soup_message_headers_append interns the header name case-insensitively, and always uses the casing it got in the first call. This means that

fetch("..", {headers: [["TEST", 1]] })
fetch("..", {headers: [["test", 1]] })

will the same header name twice. The name might be "TEST", or it might be any other casing which any other web page has used during the runtime of the browser.

This also provides a way of cross-origin communication: if a web page A uses a sufficiently unique header name in a particular casing, another web page B can check if page A was loaded before page B by checking what happens when using the header name in a different casing.
Comment 1 Claudio Saavedra 2018-09-12 15:22:09 UTC
From https://bugs.webkit.org/show_bug.cgi?id=179475#c2

> danw	the "cross-origin communication" idea seems a little crazy, but people
> have done crazier stuff... I'd say file a libsoup bug yeah. you can't just 
> change intern_header_name to be non-case-sensitive though. that would definitely break things
>
> mcatanzaro	What sort of things?
>
> danw	eg, when you call soup_message_headers_get_content_type(), it has to 
> return the content type whether it was specified as "Content-Type" or "CONTENT-type"
> I guess if you want to fix it, the fix would be to not intern header names at 
> all. just copy both name and value, and use g_ascii_strcasecmp() rather than 
> pointer equality to compare header names when needed

Would it be reasonable to down-case the header names before interning them?
Comment 2 Dan Winship 2018-09-12 16:05:25 UTC
If you just downcased the header names before interning them and then didn't make any other changes, then that would cause libsoup to always send header names fully-downcased:

  GET /index.html HTTP/1.1
  host: example.com
  accept-encoding: gz
  cookies: BLAH=blah

There is nothing theoretically wrong with this, but it looks weird. :-). But also, this is the web, so the fact that there is nothing *theoretically* wrong with it doesn't mean that there's nothing *actually* wrong with it.

If you Titlecased each word rather than lowercasing them, that would be better. (It would get a few things like "Content-MD5" wrong, but, eh.)
Comment 3 Claudio Saavedra 2018-09-13 13:05:44 UTC
Okay, I confess not to have looked in detail what the interning is useful for. Is it something we can really wipe out? What was the point of it? Saving comparison time?
Comment 4 Dan Winship 2018-09-13 13:41:15 UTC
Yeah, it's just so that checks for various specific headers can be done with pointer equality rather than string comparison. You could get rid of that optimization.
Comment 5 GNOME Infrastructure Team 2018-09-21 16:33:41 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to GNOME's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.gnome.org/GNOME/libsoup/issues/111.