fix: do not canonicalize Sec-WebSocket-* headers in apps #5334
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mtojek
approved these changes
Dec 7, 2022
| // Some apps our customers use are sensitive to the case of these headers. | ||
| // | ||
| // https://github.com/golang/go/issues/18495 | ||
| var nonCanonicalHeaders = map[string]string{ |
There was a problem hiding this comment.
nit: Only these keys or every Sec-Websocket-*? If the latter one, maybe you can refactor it to the future-proof logic (Sec-Websocket-Foo, Sec-Websocket-Bar, etc.)
There was a problem hiding this comment.
I considered using a regex or some custom function to do it but decided against it as the websocket spec was made in 2011 and they haven't added any new headers that require this level of massaging since. Hashmap is the fastest so I think it's a fine trade off
There was a problem hiding this comment.
Fair enough, feel free to ship it
This was referenced Dec 7, 2022
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Browsers write
Sec-WebSocket-*headers, Golang canonicalizes the headers to becomeSec-Websocket-*and passes them on when we reverse proxy. This changes the reverse proxy to always send those headers asSec-WebSocket-*with a capital S.A customer was affected by this when running an app that didn't perform case-insensitive header checks (GTK broadwayd).
TODO: