Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http: CanonicalHeaderKey capitalization is non-conformant with RFC 6455 #18495

Closed
shosti opened this issue Jan 2, 2017 · 1 comment
Closed

net/http: CanonicalHeaderKey capitalization is non-conformant with RFC 6455 #18495

shosti opened this issue Jan 2, 2017 · 1 comment
Labels
FrozenDueToAge

Comments

@shosti
Copy link

shosti commented Jan 2, 2017

What version of Go are you using (go version)?

go version go1.7.4 linux/amd64

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/shosti/go"
GORACE=""
GOROOT="/usr/lib/go"
GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build649225145=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"

What did you do?

Minimal reproduction: https://play.golang.org/p/jMuUMK5TDL

What did you expect to see?

According to RFC 6455, headers for WebSocket upgrades are capitalized as Sec-WebSocket-* (e.g. Sec-WebSocket-Key). CanonicalHeaderKey should canonicalize those headers to be compliant with the spec.

What did you see instead?

CanonicalizeHeaderKey returns header keys capitalized as Sec-Websocket-* (without the uppercase S in Socket).

While this may not seem like a big deal, I've encountered real-world servers that rely on the correct capitalization (obviously not a good idea). It's especially problematic because all HTTP request parsing canonicalizes the header keys. This has led to some pretty severe issues with a proxy server I had running in production that had to forward WebSocket requests to arbitrary servers.
@bradfitz
Copy link
Contributor

bradfitz commented Jan 2, 2017

Dup of #18476 #18196 #5022 etc

I don't think we're going to do anything here. RFC 6455 can't mandate the case of headers, since HTTP/1 says that they're case insensitive. And in HTTP/2 there is no case on the wire.

Sorry. I don't want to complicate Go and encourage buggy libraries from assuming case.

@bradfitz bradfitz closed this as completed Jan 2, 2017
@njsmith njsmith mentioned this issue Feb 20, 2017
Closed
@j16sdiz j16sdiz mentioned this issue Nov 24, 2017
Closed
@golang golang locked and limited conversation to collaborators Jan 2, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bradfitz @shosti @gopherbot