fix(kit): handle whitespace in HTTP Accept header (#12292)

aloisklink · web-flow · commit 0a0e9aa89712 · 2024-06-06T19:44:54.000-07:00
According to [RFC 9110][1], in the HTTP Accept header, there can be OWS (optional whitespace, e.g. zero to unlimited SP (space) or HTAB (horizontal tab)) between the `;` and `,` characters. [1]: https://www.rfc-editor.org/rfc/rfc9110
diff --git a/.changeset/witty-bees-hope.md b/.changeset/witty-bees-hope.md
@@ -0,0 +1,5 @@
+---
+"@sveltejs/kit": patch
+---
+
+fix: handle whitespace in HTTP Accept header
diff --git a/packages/kit/src/utils/http.js b/packages/kit/src/utils/http.js
@@ -9,7 +9,7 @@ export function negotiate(accept, types) {
 	const parts = [];
 
 	accept.split(',').forEach((str, i) => {
-		const match = /([^/]+)\/([^;]+)(?:;q=([0-9.]+))?/.exec(str);
+		const match = /([^/ \t]+)\/([^; \t]+)[ \t]*(?:;[ \t]*q=([0-9.]+))?/.exec(str);
 
 		// no match equals invalid header — ignore
 		if (match) {
diff --git a/packages/kit/src/utils/http.spec.js b/packages/kit/src/utils/http.spec.js
@@ -6,6 +6,13 @@ test('handle valid accept header value', () => {
 	assert.equal(negotiate(accept, ['text/html']), 'text/html');
 });
 
+test('handle accept values with optional whitespace', () => {
+	// according to RFC 9110, OWS (optional whitespace, aka a space or horizontal tab)
+	// can occur before/after the `,` and the `;`.
+	const accept = 'application/some-thing-else, \tapplication/json \t; q=0.9  ,text/plain;q=0.1';
+	assert.equal(negotiate(accept, ['application/json', 'text/plain']), 'application/json');
+});
+
 test('handle invalid accept header value', () => {
 	const accept = 'text/html,*';
 	assert.equal(negotiate(accept, ['text/html']), 'text/html');
