Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

http: relax writeEarlyHints validations #46464

Open
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

khalsah
Copy link
Contributor

@khalsah khalsah commented Feb 1, 2023

Removes the requirement that every call to writeEarlyHints include a link header. While the link header is clearly the most common usage of 103 Early Hints, I could find no requirement to include a link header as part of RFC8297.

Additionally this removes the existing incorrect validation of the Link header format in favor of only validating that it is a valid header value. While the validation could be updated to better match RFC8288 Section 3, it appears it would be the only place in the node.js code base where we proactively validate header values beyond verifying they are valid at the HTTP protocol layer.

Fixes: #46453

@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/http
  • @nodejs/http2
  • @nodejs/net

@nodejs-github-bot nodejs-github-bot added http Issues or PRs related to the http subsystem. http2 Issues or PRs related to the http2 subsystem. needs-ci PRs that need a full CI run. labels Feb 1, 2023
Removes the requirement that every call to writeEarlyHints include a
`link` header. While the `link` header is clearly the most common usage
of `103 Early Hints`, I could find no requirement to include a `link`
header as part of [RFC8297](https://www.rfc-editor.org/rfc/rfc8297.html).

Additionally this removes the existing incorrect validation of the Link
header format in favor of only validating that it is a valid header
value. While the validation could be updated to better match [RFC8288
Section 3](https://www.rfc-editor.org/rfc/rfc8288.html#section-3), it
appears it would be the only place in the node.js code base where we
proactively validate header values beyond verifying they are valid at
the HTTP protocol layer.

Fixes: nodejs#46453
@khalsah khalsah force-pushed the relax-early-hints-validation branch from 1e641e5 to 78dd37e Compare February 1, 2023 18:21
@khalsah khalsah changed the title http: Relax writeEarlyHints validations http: relax writeEarlyHints validations Feb 1, 2023
lib/_http_server.js Show resolved Hide resolved
lib/_http_server.js Show resolved Hide resolved
test/parallel/test-http-early-hints.js Outdated Show resolved Hide resolved
}

if (linkHeaderValue.length === 0) {
return false;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand the need to remove regexp but why don't we keep the primitive checks as it is?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This check skips sending 103 Early Hints all together if no link header is present. Which would be confusing if you're trying to send early hints with some other header. Admittedly I'm not aware of any current need to send 103 Early Hints without a link header, but by my reading the RFC doesn't mandate the link header in any way.

lib/internal/http2/compat.js Show resolved Hide resolved
test/parallel/test-http-early-hints.js Outdated Show resolved Hide resolved
@ShogunPanda
Copy link
Contributor

While the RFC mandates no formal specification for the early hints, I would keep the validation and therefore I'm towards accepting #46466 in favor of this.

@khalsah
Copy link
Contributor Author

khalsah commented Feb 3, 2023

  1. I added logic to skip sending the 103 if all the headers are empty since there seemed to be a desire to maintain this behavior.
  2. I added tests for two cases which I think are valuable to support:
    • Capitalized Link headers: since the http API's support them elsewhere it seems confusing to not support them for writeEarlyHints.
    • Non-link headers: since we expose the ability to send other headers it seems like we should make sure they get sent, even if no link header is sent.

SRHerzog added a commit to SRHerzog/node that referenced this pull request Feb 17, 2023
Updated regex for "Link" header validation to better match the
specification in RFC 8288 section 3. Does not check for valid URI
format but handles the rest of the header more permissively than
before. Alternative to another outstanding PR that disables validation
entirely.

Fixes: nodejs#46453
Refs: https://www.rfc-editor.org/rfc/rfc8288.html#section-3
Refs: nodejs#46464
nodejs-github-bot pushed a commit that referenced this pull request Feb 23, 2023
Updated regex for "Link" header validation to better match the
specification in RFC 8288 section 3. Does not check for valid URI
format but handles the rest of the header more permissively than
before. Alternative to another outstanding PR that disables validation
entirely.

Fixes: #46453
Refs: https://www.rfc-editor.org/rfc/rfc8288.html#section-3
Refs: #46464
PR-URL: #46466
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
targos pushed a commit that referenced this pull request Mar 13, 2023
Updated regex for "Link" header validation to better match the
specification in RFC 8288 section 3. Does not check for valid URI
format but handles the rest of the header more permissively than
before. Alternative to another outstanding PR that disables validation
entirely.

Fixes: #46453
Refs: https://www.rfc-editor.org/rfc/rfc8288.html#section-3
Refs: #46464
PR-URL: #46466
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
danielleadams pushed a commit that referenced this pull request Apr 11, 2023
Updated regex for "Link" header validation to better match the
specification in RFC 8288 section 3. Does not check for valid URI
format but handles the rest of the header more permissively than
before. Alternative to another outstanding PR that disables validation
entirely.

Fixes: #46453
Refs: https://www.rfc-editor.org/rfc/rfc8288.html#section-3
Refs: #46464
PR-URL: #46466
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
http Issues or PRs related to the http subsystem. http2 Issues or PRs related to the http2 subsystem. needs-ci PRs that need a full CI run.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Overzealous link header validation in writeEarlyHints
6 participants