Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

400 response for outdated Chrome requests #1843

Closed
krizhanovsky opened this issue Mar 21, 2023 · 4 comments
Closed

400 response for outdated Chrome requests #1843

krizhanovsky opened this issue Mar 21, 2023 · 4 comments
Assignees
@dmpetroff
Labels
bug
Milestone
0.7 - HTTP/2

Comments

@krizhanovsky
Copy link
Contributor

krizhanovsky commented Mar 21, 2023
edited

Tempesta FW for the new website return 400 response for Chrome Version 106.0.5249.91 (Official Build) (64-bit) request to https://tempesta-tech.com/

GET / HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cache-Control: max-age=0
Connection: keep-alive
Cookie: gdpr[consent_types]=%5B%5D; gdpr[allowed_cookies]=%5B%22%22%5D
Host: tempesta-tech.com
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Sec-Fetch-User: ?1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
sec-ch-ua: "Chromium";v="106", "Google Chrome";v="106", "Not;A=Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"

The Tempesta FW response (also as reported by Chrome Developer Tools):

HTTP/1.1 400 Bad Request
date: Tue, 21 Mar 2023 21:57:37 GMT
content-length: 0
server: Tempesta FW/pre-0.7.0
connection: close

There is Tempesta parser error:

[609961.036719] [tempesta fw] Warning: Parser error: state=Req_HdrCookieV input(-8)=0x67('Cookie: gdpr[consent_types]=%5B%5D; gdpr[allowed') data_len=704 off=638
[609961.037004] [tempesta fw] Warning: failed to parse request: 78.109.74.252
@krizhanovsky krizhanovsky added this to the 0.7 - Beta milestone Mar 21, 2023
@krizhanovsky krizhanovsky added the question Questions and support tasks label Mar 21, 2023
@krizhanovsky krizhanovsky added bug and removed question Questions and support tasks labels Mar 22, 2023
@dmpetroff
Copy link
Contributor

tempesta disallows '[]' in cookie names. According to rfc6265 cookie-name is a token which efficiently disallows [] in the cookie name.

It seems that other web servers (nginx) are not so picky and they do accept [] in the cookie name.

We're not the first who run into such problems: js-cookie/js-cookie#595 (comment)
So I'd suggest allowing square braces although it is completely non-standard.

@krizhanovsky
Copy link
Contributor Author

@dmpetroff can we fix it just with extending the RFC alphabet with https://github.com/tempesta-tech/tempesta/wiki/HTTP-security#custom-character-sets ? If we can solve the WordPress issue with Tempesta FW configuration, then we're good.

@krizhanovsky krizhanovsky mentioned this issue Mar 27, 2023
Closed
@dmpetroff
Copy link
Contributor

@krizhanovsky I think we should add http_cookie_name_brange then and completely separate from token. Should we be RFC-compliant or real world-compliant by default?

@dmpetroff
Copy link
Contributor

Described workaround in https://github.com/tempesta-tech/tempesta/wiki/WordPress-tips-and-tricks#square-braces-in-cookie-names

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dmpetroff dmpetroff

Labels
bug
Projects
None yet
Milestone
0.7 - HTTP/2
Development

No branches or pull requests
3 participants
@krizhanovsky @dmpetroff @pale-emperor