HTTP types: headers, status codes, methods, bodies, MIME types
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

http, requests: canonicalize header values at cache Vary comparison

- Headers.mli gets a 'Values are stored verbatim' note explaining
why add/set do not normalise: proxies, replay signers and strict
round-trip callers need the original bytes. Points at
canonicalize_value for anyone comparing values across
implementations.

- Requests.Features.Cache.vary_matches now canonicalises both sides
before equality. Two requests whose Vary-keyed headers differ only
in insignificant whitespace should reuse the same cache entry;
the previous String.equal missed that.

Reviewed other Headers users across the monorepo. Skipped:
- parse_connection_header / TE='trailers' checks already lowercase+trim
on a per-token basis, which is the right rule for comma-delimited
tokens.
- Digest auth parser (WWW-Authenticate) trims outer whitespace then
hands off to a quoted-string-aware parser; collapsing internal
whitespace would mangle realms with significant spaces.
- HTTP/2 HPACK relies on exact-byte matching against the static
table; canonicalising before lookup would break compression.
- RFC 9421 HTTP Message Signatures (features/signature.ml) uses the
value raw and needs its own spec-specific normalisation (strip
leading/trailing only) — separate bug, separate fix.

+13 -1
+13 -1
lib/headers.mli
··· 31 31 Header names and values are validated to prevent HTTP header injection 32 32 attacks. CR and LF characters are rejected per 33 33 {{:https://datatracker.ietf.org/doc/html/rfc9110#section-5.5}RFC 9110 34 - Section 5.5}. *) 34 + Section 5.5}. 35 + 36 + {2 Values are stored verbatim} 37 + 38 + Names are case-folded because they are case-insensitive per RFC 9110. Values 39 + are stored exactly as given; leading, trailing, and interior whitespace is 40 + preserved. Round-trip through {!set} + {!find} never loses bytes. 41 + 42 + When two implementations must agree on a value's exact byte representation — 43 + header signing (AWS SigV4, RFC 9421), cache-key comparison (Vary), HPACK 44 + static-table matching — call {!canonicalize_value} at the comparison point. 45 + Do not bake canonicalisation into storage: proxies, replay signers, and 46 + strict round-trip use cases need the original bytes. *) 35 47 36 48 val src : Logs.Src.t 37 49 (** Log source for header operations. *)