Takeshi Yoshino <
tyos...@chromium.org> writes:
> On Wed, Apr 26, 2017 at 4:07 AM, Philip Jägenstedt <
foo...@chromium.org>
> wrote:
>
>> I think there are two things worth doing that might give better insights
>> than static HTTPArchive analysis, which seems tricky in this case.
>>
>> First, take the top sites identified by tyoshino@ and try them with a
>> build that has the change. Looking visually for breakage is hard if you're
>> not a regular user of the site, so instead set a breakpoint in DevTools
>> where getAllResponseHeaders is called and try to follow the return value to
>> where it's used.
>>
>> Second, figure out how far in the Safari release channel
>>
https://bugs.webkit.org/show_bug.cgi?id=169286 has gotten and search for
>> regressions in their bug database. I assume it's not in stable Safari yet,
>> but once it is, that's a good signal that the change is web compatible.
>>
>
> Thanks Philip. These make sense.
>
> I'll help you doing the first item if needed, Raphael. Let's discuss on the
> bug or review.
tyoshino@ and I have been discussing this on
crbug.com/716994. I checked
the top sites he'd mentioned, and these are the most important findings:
- The vast majority of the websites reference getAllResponseHeaders()
because they ship jQuery. However, no code path calling gARH() is ever
called in any of them (I couldn't test code that required a login,
though).
- There are some other frameworks such as YUI (2 and 3) and Naver's
Jindo.js that also just forward whatever getAllResponseHeaders()
returns, but none of the websites that use them reach those code paths
at all.
- Angular.js code does not immediately normalize getAllResponseHeader()
header names, but it provides several functions such as parseHeaders()
that automatically convert all header names to lowercase.
- Google's closure-library seems to behave similarly, and none of the
websites using it ever called the getAllResponseHeaders() functions.
- Many websites also ship a fetch() polyfill that's obviously not used
by us.
- There's some analytics stuff from IBM Tealeaf and Clicktale that call
getAllResponseHeaders(), but that function was never called here.
- Some websites just call getAllResponseHeaders() for debugging purposes
(ie. if something goes wrong the headers are printed somewhere).
- Most of the websites that really use getAllResponseHeaders(), like
YouTube, already lowercase the header names when doing comparisons and
lookups.
The only website that can genuinely break in some cases with this change
is
ok.ru. It contains code that looks like this:
var y = q.getAllResponseHeaders(), x;
while (x = p.exec(y)) {
j[x[1]] = x[2];
}
if (!g && j["Redirect-Location"]) {
f(j["Redirect-Location"]);
t(q, q.statusText, "Redirect");
return;
}
where p is a regular expression object. I didn't receive any payload
with redirect-location in my tests, but it's clear that the check above
will break when all headers are lowercased.
As for looking for regressions in WebKit's bug tracker: I couldn't find
anything.
Given the above, how should we proceed here?