Sort headers as if ASCII-uppercased
hsivonen opened this issue · 12 comments
Sorting headers lexicographically after ASCII-lowercasing them has the property that application-defined headers that begin with underscores sort to the beginning of the return string of getAllResponseHeaders
. This breaks when JS accidentally assumes that the header of interest cannot be the first one.
I suggest doing the sorting as if the the header names had been ASCII-uppercased, to avoid sorting headers starting with an underscore first.
Do we want to do this specifically for getAllResponseHeaders()
in isolation or should this affect Headers
as well?
I have a slight preference for getAllResponseHeaders() only since this is mainly for backward compatibility and we are moving to a world where lowercased headers is the norm.
AFAICT, the two are implemented separately in Gecko, so doing this only for XHR and not Fetch seems appropriate.
whatwg/fetch#906 has some initial refactoring of Fetch.
I think what I'm going to do is that XHR takes the output of "sort and combine" and sorts it again using a sorting algorithm I'll define as "legacy-uppercased-byte less than". That way Fetch doesn't contain the hack and it's unlikely it'll spread further, assuming Chrome fixes their bugs...
Sorry, which bug(s) are you referring to?
@yutakahirano Chrome doesn't sort headers it seems, at least as far as getAllResponseHeaders()
is concerned (did not check the Headers
object). I mentioned this at https://bugs.chromium.org/p/chromium/issues/detail?id=651750#c15 as I couldn't find a dedicated issue (perhaps this change was made before filing such issues).
Thanks!
Okay, I have fixes up for Fetch, Infra, and XMLHttpRequest. Are you adding WPT tests @hsivonen?
I'm modifying an existing test to add an underscore header.
Okay, https://phabricator.services.mozilla.com/D31786 is sufficient for me. If there are no more comments I plan on landing this somewhere next week (it takes some time for all the cross-specification references to be indexed, which is also why the current patch fails).
Firefox is fixed. I filed https://bugs.webkit.org/show_bug.cgi?id=200565 against Safari. Chrome still has https://bugs.chromium.org/p/chromium/issues/detail?id=651750.
Chromium: Fixed.
https://bugs.chromium.org/p/chromium/issues/detail?id=993271#c1