frankenphp icon indicating copy to clipboard operation
frankenphp copied to clipboard
verified publisher icon php

invalid header {"header": "Access-Control-Allow-Origin:*"}

Open fcwys opened this issue 1 year ago • 12 comments

What happened?

2024/02/01 03:03:23.520	DEBUG	invalid header	{"header": "Access-Control-Allow-Origin:*"}
2024/02/01 03:03:23.520	DEBUG	invalid header	{"header": "Content-Type:application/json; charset=utf-8"}

Build Type

Standalone binary

Worker Mode

Yes

Operating System

GNU/Linux

CPU Architecture

x86_64

Relevant log output

No response

fcwys avatar Feb 01 '24 03:02 fcwys

The header is invalid. A space is missing after the colon.

Does FPM correct that automatically?

dunglas avatar Feb 01 '24 06:02 dunglas

I tested it normally in the PHP environment, but I don't know why

fcwys avatar Feb 01 '24 06:02 fcwys

Tested, it seems that there was no automatic correction.

After changing header('Access-Control-Allow-Origin:*'); to header('Access-Control-Allow-Origin: *');, it worked normally, but it ran normally in the previous PHP environment.

fcwys avatar Feb 01 '24 06:02 fcwys

What was the previous PHP environment? Were the headers sent to the client or just ignored? We display this log on purpose to be able to catch these kinds of errors instead of silencing them.

dunglas avatar Feb 01 '24 09:02 dunglas

The previous environment was PHP 8.0.2 and Nginx 1.25.2. In the above error, the header was not sent to the client. After correction, the client was able to receive the correct header.Before the fix, client requests were affected, but after the fix, they worked normally on FrankenPHP.

fcwys avatar Feb 01 '24 09:02 fcwys

Ok, with NGINX+FPM clients weren't receiving the header right? So we can close as this works as expected.

dunglas avatar Feb 01 '24 10:02 dunglas

Ok

fcwys avatar Feb 01 '24 13:02 fcwys

Just a friendly heads up, because I ran into this today :)

According to HTTP/1.1 specs, any amount of whitespace after the colon should be optional and ignored.

Or, if you prefer the more readable MDN:

a header is a case-insensitive name followed by a colon, then optional whitespace which will be ignored, and finally by its value

rasteiner avatar Feb 06 '25 14:02 rasteiner

Il, I wasn't aware of this. PR welcome, it should be an easy fix (I'll do it when I'll be back from vacation if still needed)

dunglas avatar Feb 06 '25 18:02 dunglas

I believe it is still working correctly, with the following php:

<?php

header("X-Test-Correct: hello world");
header("X-Test-Incorrect:hello world");

I see the following headers in my browser console going through php + fpm:

Image

I do not see X-Test-Incorrect as a listed header.

withinboredom avatar Feb 06 '25 23:02 withinboredom

Il, I wasn't aware of this. PR welcome, it should be an easy fix (I'll do it when I'll be back from vacation if still needed)

I guess it would be fixed by splitting on ":" rather than ": " here https://github.com/dunglas/frankenphp/blob/be2e4714f5624ba48824af07ad5e41ffafacda1b/frankenphp.go#L566

but I'm not familiar enough with golang to know if we also need to left-trim the value then or if Header().Add() already does, or if it doesn't actually matter

rasteiner avatar Feb 07 '25 08:02 rasteiner

It looks like Go doesn't ltrim the value, so we should do it: https://cs.opensource.google/go/go/+/refs/tags/go1.23.6:src/net/textproto/header.go;l=13

Also, in the spec it's stated that headers can be on multiple lines if the extra lines start with a space or a tab, I'm not sure that we support that.

dunglas avatar Feb 07 '25 11:02 dunglas