Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

empty response header values listed with : in header name #3821

Open
jsoref opened this issue Jul 16, 2021 · 4 comments
Open

empty response header values listed with : in header name #3821

jsoref opened this issue Jul 16, 2021 · 4 comments
Labels
B-bug Bug: general classification S-unverified Status: Unverified by maintainer

Comments

@jsoref
Copy link
Contributor

jsoref commented Jul 16, 2021

Describe the bug
HTTP Response headers with empty values have their header name listed with a trailing :

To Reproduce

  1. Run the following in a sh friendly shell with a cooperative nc: 
    echo -e "HTTP/1.1 200 OK\nX-Foo:\nContent-Type: text/plain\n\n$(date)" | nc -l 1500
  2. Open Insomnia
  3. Make a new request
  4. Set the request to (GET) http://localhost:1500
  5. Click Send
  6. Activate the Header response tab

See:

NAME VALUE
X-Foo:
Content-Type text/plain

Expected behavior

NAME VALUE
X-Foo
Content-Type text/plain

Screenshots
image

Desktop (please complete the following information):

  • OS: macOS 11.4
  • Installation Method: homebrew
  • App Version 2021.4.0

Additional context
GitHub sends x-accepted-oauth-scopes: at times
@jsoref jsoref added B-bug Bug: general classification S-unverified Status: Unverified by maintainer labels Jul 16, 2021
@roguib
Copy link
Contributor

roguib commented Jul 17, 2021

I believe it could be an edge case, considering that an empty header value is not valid per RFC-7230. Don't know why Github sends x-accepted-oauth-scopes without any value though.

@jsoref
Copy link
Contributor Author

jsoref commented Jul 18, 2021

Are you sure?

https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6

header-field   = field-name ":" OWS field-value OWS

field-name     = token
field-value    = *( field-content / obs-fold )

I'm pretty sure the * in the field-vaue definition effectively means optional.

@roguib
Copy link
Contributor

roguib commented Jul 19, 2021

Not 100% TBH. I did a quick research and some users were saying that empty header values were not valid unless some specific cases, since they could introduce security risks. It would be nice to know exactly if they are valid or not. Source. However, I found a StackOverflow answer saying that empty headers are valid if they don't contain any characters, so I'm quite confused if they're valid or not.

@jsoref
Copy link
Contributor Author

jsoref commented Jul 19, 2021

The source you linked to includes a reference to mnot who should be taken as authoritative and it aligns with what I'm saying. He's a spec person. I'm a browser person. We agree.

I too am sorry that people have trouble reading specifications but this really isn't complicated. The ABNF isn't ambiguous and even the prose isn't terrible it says a field-value, and a field value is defined as a * of thing and that means the thing is optional.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
B-bug Bug: general classification S-unverified Status: Unverified by maintainer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jsoref @roguib