Exclude the Trailer header from 304 responses?
#2842
Comments
|
Yes, that makes sense: http://httpwg.github.io/specs/rfc7230.html#message.body.length --
Note that the response is terminated. Also, the trailers are syntactically part of the chunked body, see All that said, a receiving implementation could choose to recover from the error of seeing a trailer there, but it's probably not a good idea, since this is about message framing, and there are security implications. |
|
Do you consider it an error to have the |
|
It's not a great thing to do, but there's nothing in the spec that prohibits a sender from generating a Trailer header without actually sending those trailers. |
|
/cc @nodejs/http (Trying to get some old issues un-stalled or closed if they are close-able...) |
Fishrock123
added
the
good first issue
|
I am available as a mentor for this issue if anyone wants to pick it up. |
|
I wouldn't mind taking a stab at it… |
|
@jasnell @wprl I'd like to give this a shot if no works been done on it. If I understand correctly the task is to strip the Trailer header from responses that don't have Transfer-Encoding: chunked including 304s since they aren't chunked. However, tunniclm from Express suggests this is a valid response and should be accepted by the proxy and the user can prevent this issue by not adding the header to responses that aren't chunked So is this really an issue that needs to be addressed? |
|
cc/ @tunniclm |
|
Looking for a good first contribution. Is this something that should still be implemented (wasn't sure after @ALJCepeda's comment). Thanks! |
|
I believe this is something that should be addressed given the issues. RFC 7230 is very clear that the |
|
@jasnell Are you still open to mentoring on this issue? |
|
Yes, absolutely. This shouldn't be too difficult to do. |
|
Great! What first steps would you recommend? |
|
Take a look at the Specifically, look right about here: https://github.com/nodejs/node/blob/master/lib/_http_server.js#L208 You should be able to add a check that will report an error if |
|
@jasnell Hi, I would like to help with this one. I just read over the |
|
Hi, I made the change, please let me know if its good to go. Thanks |
Test non-chunked message does not have trailer header set, message will be terminated by the first empty line after the header fields, regardless of the header fields present in the message, and thus cannot contain a message body or 'trailers'. PR-URL: #12990 Ref: #2842 Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Refael Ackermann <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Yuta Hiroto <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Brian White <[email protected]>
|
Is this still an issue in Node.js 8.3.0? |
|
Is this still open, would love to give it a go @jasnell |
|
I believe it is still an issue but it's possible I could be missing something. It's a straightforward test to check. Let me know @nikshepsvn if you need pointers on which part of the code to start poking. |
|
ping @jasnell — is this still an issue? See my comment above re: the commit that might've addressed it. That said, I could be missing something deeper. |
|
Hi. I created a simple test for reproduce it when we found the bug, two years ago. At that time, it worked when deployed on Heroku, but failed when deployed on IBM Bluemix. The difference: Go HTTP middleware in Bluemix (very stricts with trailers). It should be trivial to deploy this sample on Bluemix with the latest version of Node and check if it is solved. |
|
Hi, @pjmolina, how did the test go? I am available to work on this if you would like help. |
|
Hi @arturgvieira I need to find the time to repeat it again on Bluemix and will back here to share the results. |
|
Hi, @arturgvieira et al.
Repro steps
In all environments, resource r1 should work on GET as trailers are not involved and return a 200 OK response.
This will return a 200 OK on (A0) but a 502 Bad gateway on (B1 and B2). The difference between r1 and r2 are ETAG trailer injected by Express.
This will return a 304 Not modified on (A0) but a 502 Bad gateway on (B1 and B2). It will work on (A0) but will fail on (B1 and B2).
The main hypothesis here is: some part of the trailers specs are open to interpretation (in the spec) and are implemented with subtle differences between Go and NodeJS core implementations. This difference causes the interop problem shown here, as IBM Bluemix uses a router as middleware based on Go. If you run the test locally, everything will work as curl (as client) will accept the trailers as they come (not very strict). I will let the sample environments running some days just in case someone wants to test and reproduce it. More info: original thread. Corollary: this bug prevents having ETags and a proper HTTP cache handling on NodeJS backends hosted at least on Bluemix (other cloud hosts could be affected too, for example, CloudFoundry based ones). |
|
@pjmolina can you reproduce this with plain Node.js code rather than Express? Express monkey patches lots of code so it wouldn't surprise me if it could still be broken there while working in Node.js. Unless I'm severely misunderstanding the issue, the following code in Node.js should make sure that we don't allow |
|
I see your point @apapirovski |
|
Express doesn't monkey patch anything -- it only adds new methods. Not sure what you are referring to, exactly. Can you point to where this monkey patching is? |
|
I wrote a test when I first developed the PR for this Issue. The test itself should be a good starting point for an all NodeJS solution. |
|
@dougwilson Sorry, I should've been clearer. There are middleware that are included within express itself (or at least referenced within the test suite, at the very least) that will, for example, monkey patch |
|
On that note, were you ever going to provide the code you used for testing at some point :) ? |
|
@dougwilson do you want me to just make a git repo with my copy of I've been trying to carve out some time to get PRs for the actual packages (supertest, superagent, etc.) used but it's a bit more work than just temporarily monkey-patching them. |
|
@pjmolina Are you sure you tested with Node v8 & v9? I'm getting the expected error: |
|
Based on my testing, this has been addressed. Closing. |
|
Thanks for all the help, I had a lot of fun. I learned quite a bit of web standards, and techniques in NodeJS, which I am very thankful for. |
nodejs limitation; see: nodejs/node#2842
Including the
Trailerheader field with responses that don't haveTransfer-Encoding: chunkedcauses some (overly strict?) proxies to drop the response e.g. IBM Bluemix sends back a 502 top the client in this scenario, even though Node/Express responds with a 304.I brought up the issue with the Express team and it was suggested that since Node strips out the body for a 304, it might also make sense to strip out the
Trailerheader from Node. See: expressjs/express#2749Interested what you all think about it.
The text was updated successfully, but these errors were encountered: