New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fails to parse headers containing line feed #489
Comments
We did avoid splitting by However, I'm really surprised that you can read cookies from the server response (regardless of the value having line breaks or not). The browser usually doesn't let you read the Could it be that your user agent is so old that it doesn't implement the concept of "forbidden" headers? |
@mislav yes I think the browser is too old to know about forbidden headers. |
I'm thinking such handling might be too “magic”. I must admit I don't understand the Tolerance provision fully. The spec says that |
@mislav, from the issue you mentioned #449, I cannot find any evidence that ios would give headers without @woudini could you give some details what the issue was? I'm a little surprised that the content-type would change when changing the splitting from |
@mpfluger and I came up with this fix: #491 The confusion seems to be coming from the assumption that https://tools.ietf.org/html/rfc7230#section-3 states that all header-fields are delimited by CRLF. To support the tolerance provision, CRLF here must be interchangeable with LF. Therefore the delimiter between headers is indeed https://tools.ietf.org/html/rfc7230#section-3.2.4 states:
|
@woudini Thanks for the research! I think it's clear now that support for |
hi,
I have some quite old user agent
Mozilla/5.0 (QtEmbedded; Linux) AppleWebKit/534.34 (KHTML, like Gecko) webkit/0.1 Safari/534.34
(some proprietary set-top box) which seem to include line feed between cookies when the server sends multipleSet-Cookie
headers. I know that the new spec is that the user agent should join these headers with a comma,
but it seems like before this was\n
.line feeds are deprecated but still allowed per https://tools.ietf.org/html/rfc7230.
if I change the regex for splitting the headers returned by
xhr.getAllResponseHeaders()
from/\r?\n/
to/\r\n/
the problem is solved for this user agent https://github.com/github/fetch/blob/eebaa2a1bc21eeba98ee00c9f94a0a4c2007cff1/fetch.js#L361.from the specs it seems headers should always be delimited by
\r\n
so I wonder if this is the proper fix for my user agent.without the fix, my requests to the server fail while using
credentials: 'same-origin'
because cookies are not send like they were received from the server.The text was updated successfully, but these errors were encountered: