jeremyevans/roda

Duplicating Content-Type header when header key comes in lowercase

Closed this issue · 3 comments

When using Rack middlewares, if our response already has a header like content-type, when calling the response.finish method, we got an additional Content-Type with text/html value.

This is because the h[k] || = v is not detecting that the content-type and Content-Type are the same headers so is adding both to the array.

https://github.com/jeremyevans/roda/blob/58c6e89bacc69abe57074736580ba31a89db0ede/lib/roda/response.rb#LL194C18-L194C21

After that, when rack builds the response, our content-type with the valid value is being removed because the rack implementation is comparing both headers using downcase.

Check https://github.com/rack/rack/blob/2-2-stable/lib/rack/utils.rb#L476-L477

Note that Roda never uses any existing response headers, since it creates a new response for every request. So what I'm guessing is happening is your middleware is setting content-type in the response even if Content-Type is already set by Roda (as opposed to to Roda setting Content-Type when content-type is already set).

On Rack 2, Roda uses a plain hash for headers, so headers are case sensitive. On Rack 3, Roda uses Rack::Headers (a hash subclass which will automatically downcase header keys). For backwards compatibility, Roda uses mixed-case header keys. So this behavior is currently expected on Rack 2 if your middleware is not handling response header keys in a case-insensitive manner (such middleware is considered broken on Rack 2).

One solution is to fix your middleware to operate properly on Rack 2 by treating response header keys in a case insensitive manner (usually done with Rack::Utils::HeaderHash in Rack 2). Another solution would be to switch to Rack 3. Alternatively, you could do the following in your Roda app:

opts[:default_headers] = {}
plugin :default_headers, 'content-type'=>'text/html'

which will change Roda to use content-type instead of Content-Type

In an upcoming release, I plan to add a plugin that will make Roda use downcased header keys by default, which will become the default behavior in Roda 4.

plujon commented

This behavior surprised me as well. Does this really relate to middleware?

In the following, I'm using puma-6.2.2, rack-2.2.6.3, and roda-3.71.0.

--- config.ru ---
require 'roda'

class App < Roda
  route do |r|
    r.get do
      response['content-type'] = 'text/plain'
      'hi'
    end
  end
end

run App
--- config.ru ---

$ rackup
$ curl -D - http://localhost:9292/
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 2

hi

Also surprising is that if one sets response['Content-Type'] first, then the lowercase version works:

--- config.ru ---
require 'roda'

class App < Roda
  route do |r|
    r.get do
      response['Content-Type'] = 'text/html' # a strange band-aid
      response['content-type'] = 'text/plain'
      'hi'
    end
  end
end

run App
--- config.ru ---

$ curl -D - http://localhost:9292/
HTTP/1.1 200 OK
content-type: text/plain
Content-Length: 2

hi

As stated above, Roda uses and expects mixed case response headers if using Rack < 3. So you shouldn't use lower case response headers in your Roda app unless you have already upgraded to Rack 3. If you are using Rack 3, either case will work, since headers will be implicitly lowercased.