fix(h2): preserve proxy authentication headers #2597
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
That Proxy-Authenticate and Proxy-Authorization are forbidden over h2 is not actually specified anywhere, plus h2 also supports CONNECT requests, which are specifically made to do requests over a proxy, and those proxies may require authentication, sometimes through Proxy-Authorization. Note that there is an openwebdocs project that just started to clear up any MDN-induced confusion in implementations: openwebdocs/project#43 Also, Daniel Stenberg (curl) also recently commented about Proxy-Connection not being stripped out by curl, Hyper may want to also remove Proxy-Connection from the list for that reason: https://twitter.com/bagder/status/1415967315817082880
|
Cc @bagder |
|
|
seanmonstar
approved these changes
Jul 16, 2021
There was a problem hiding this comment.
Yea, it does seem hyper was a little aggressive here, motivated by an MDN article. Thanks for the fix!
The HTTP/2 spec does directly spell out SHOULD remove Proxy-Connection. I imagine proxies that have been updated to use h2 will have to have dealt with that. If we get reports of it being a problem, we can consider then.
BenxiangGe
pushed a commit
to BenxiangGe/hyper
that referenced
this pull request
Jul 26, 2021
…eaders (hyperium#2597) That Proxy-Authenticate and Proxy-Authorization are forbidden over h2 is not actually specified anywhere, plus h2 also supports CONNECT requests, which are specifically made to do requests over a proxy, and those proxies may require authentication, sometimes through Proxy-Authorization. Note that there is an openwebdocs project that just started to clear up any MDN-induced confusion in implementations: openwebdocs/project#43
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
That Proxy-Authenticate and Proxy-Authorization are forbidden over h2
is not actually specified anywhere, plus h2 also supports CONNECT
requests, which are specifically made to do requests over a proxy,
and those proxies may require authentication, sometimes through
Proxy-Authorization.
Note that there is an openwebdocs project that just started to clear
up any MDN-induced confusion in implementations:
Also, Daniel Stenberg (curl) also recently commented about
Proxy-Connection not being stripped out by curl, Hyper may want to
also remove Proxy-Connection from the list for that reason: