- From: JannisBush <notifications@github.com>
- Date: Tue, 16 Apr 2024 06:42:51 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/1747@github.com>
### What is the issue with the Fetch Standard? A `header name` has to match the `field-name` syntax (which is token) and does not allow all kind of values such as 0x00. The specifications do not seem to specify however how to deal with invalid header names. Should the whole response be discarded (network error)? Should only the invalid header (line) be discarded? Should the Null byte simply be ignored or treated as a space? Example URL with 0x00: [Example](http://sub.headers.websec.saarland/_hp/tests/framing.sub.html?resp_type=parsing&browser_id=1&label=XFO&first_id=254&last_id=258&scheme=http&t_resp_id=258&t_element_relation=iframe_direct&t_resp_origin=https://headers.webappsec.eu) - Chromium: `ERR_INVALID_HTTP_RESPONSE` - Firefox and Safari: load, the invalid header seems to be ignored (it is not visible in devtools in Firefox, it is visible in Safari) Related: - For field-values the conclusion seems to be 0x00 is not allowed and should result in a network error: https://github.com/whatwg/xhr/issues/165 - Tests in WPT that test for 0x00 in header values but not in header names: https://github.com/web-platform-tests/wpt/pull/10424 -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1747 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/issues/1747@github.com>
Received on Tuesday, 16 April 2024 13:42:55 UTC