You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I know this issue has been discussed before, but I'm not sure if this use case has been brought considered. In some cases it can be useful for a WAF to understand what the original header order of a request was. For example see this attempt to detect phantomjs browsers based on when the Host header appears. https://blog.shapesecurity.com/2015/01/22/detecting-phantomjs-based-visitors/
If go can record/model header order then go can more easily do WAF stuff and block bad requests going into an organization's network, arguably an enhancement in an area Go is already optimized for (network proxies).
I propose adding a attribute to http.Request called RawHeader which is a [][2]string.
I've ran a fork of go with this particular enhancement for a couple years, and my organization has found this feature useful.
I doubt we will add a RawHeader field. At least, unlike #19292, there seems to be an actual use case, although narrow. Ideally this would be a dup of #18997.
I agree that tracing is a better way to get this data, if at all. Putting anything new like this into Request bloats request and forces extra tracking and preparation for something that 99.99% of clients are never going to ask for. In contrast, tracing can be restricted to only the times when tracing is actually happening. It doesn't take up extra space in data structures or extra execution time the rest of the time. Going to mark close this. If you would like to interpret this as a dup of #18997, that's fine, although that issue doesn't seem close enough to a clear proposal to evaluate whether that's really true.
I know this issue has been discussed before, but I'm not sure if this use case has been brought considered. In some cases it can be useful for a WAF to understand what the original header order of a request was. For example see this attempt to detect phantomjs browsers based on when the Host header appears. https://blog.shapesecurity.com/2015/01/22/detecting-phantomjs-based-visitors/
If go can record/model header order then go can more easily do WAF stuff and block bad requests going into an organization's network, arguably an enhancement in an area Go is already optimized for (network proxies).
I propose adding a attribute to http.Request called RawHeader which is a [][2]string.
I've ran a fork of go with this particular enhancement for a couple years, and my organization has found this feature useful.
See also #19292
The text was updated successfully, but these errors were encountered: