Primary eng emails
Summary
We want to normalize and check header values in Fetch API's JavaScript interfaces according to the latest Fetch API spec [1] and RFC 7230 instead of RFC2616.
This change will make Blink to:
Throw TypeError for header values containing the following octets: 0x01 -- 0x08, 0x0B, 0x0C, 0x0E -- 0x1F, and 0x7F (previously accepted).
Remove leading/trailing HTTP whitespace bytes (i.e. 0x09, 0x0A, 0x0D, and 0x20) from header values (previously accepted as-is).
When header values are set in:
Headers constructor
Headers.append()
Headers.set()
Request constructor (from RequestInit.headers, RequestInit's body's content type)
Response constructor (from ResponseInit.headers)
Currently Blink just checks the header values don't contain 0x00, 0x0A, and 0x0D.
Motivation
To follow the latest spec (Fetch API spec [1] and RFC 7230) and avoid compatibility issues in the future.
Because Fetch API is a new API for now, there is little reason to continue support for obsolete things, and compatibility risks will increase as time passes.
The impact on code complexity is low (adding a function + modifying a couple of lines).
Compatibility Risk
Very low for now because Fetch API is a relatively new API (shipped in M-40 on serviceworkers and M-42 on window/other workers).
Allowing deprecated things might result in larger compatibility risks in the future.
We leave XHR and Chromium //net stack unmodified, so Fetch API is stricter than other parts of Chromium/Blink.
Anne van Kesteren (as comment in [2]) and Ryan Sleevi [3] showed concerns about the inconsistency, but we'd like to weigh the risk of breaking existing systems more against the consistency and the benefits of updating XHRs and //net stack (and also weigh the benefit of updating Fetch API more against the consistency).
XHR is already widely used for a long time. We inserted UseCounter for XHR's setRequestHeader, and the percentage of affected XHRs (if we updated XHRs) is about 0.04% of all XHR requests, but we are afraid that we still have chances of breaking existing systems.
Changing //net would have larger compatibility risks and implementation costs.
Alternative implementation suggestion for web developers
Applications can use URL encoding for passing invalid octets above.
Usage information from UseCounter
No UseCounter. We expect affected application is rare.
(Also, currently Fetch API is used mainly on serviceworkers, and UseCounter doesn't report counts on serviceworkers.)
OWP launch tracking bug
None.
Entry on the feature dashboard
https://www.chromestatus.com/features/6457425448140800
Requesting approval to remove too?
Yes.
[1] https://fetch.spec.whatwg.org/
[2] https://docs.google.com/document/d/1eH4aQNaYT6PDFugUXfAcgK4J1aU7m-iu9x_YVGsNel4
[3] https://groups.google.com/a/chromium.org/forum/#!msg/net-dev/PBQ6Y_ai0jg/P1EDLokxwtoJ
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
Fetch is supposed to be the primitive that explains the platform. This seems like it's taking us farther away from that. I'd rather we tried to change XHR at the same time and see what breaks.
I'd suggest putting this new behavior behind a flag, turn it on for everyone and see who shouts. Worst case we merge a flag flip to stable.
From: tyos...@google.com [mailto:tyos...@google.com] On Behalf Of Takeshi Yoshino
> I understand your concern. We could deprecate it for XHR too but should have some moratorium.
I guess I am worried about getting stuck in a world where Fetch has one set of rules and XHR has another. Then we have to go update the Fetch spec to have "XHR header parsing mode" and "Fetch header parsing mode" and all that. Not fun.
> //net has wider customers and not all of them are governed by the Fetch algorithm.
Curious which ones those are. Are they also not governed by RFC 7230?
> Or, do you think it might be better to leave all of them follow RFC 2616? It could still be discussed a little more.
This was part of the motivation for my question, yes. If we are not sure it's web compatible to make this change, why does Fetch/RFC 7230 differ from RFC 2616? If the motivation for the change is strong enough, then we should change it everywhere. If the motivation is weak, then we should roll back the changes in the specs.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.