Match Vary: Service-Worker response header case-insensitively#382
Open
durvesh1992 wants to merge 1 commit into
Open
Match Vary: Service-Worker response header case-insensitively#382durvesh1992 wants to merge 1 commit into
durvesh1992 wants to merge 1 commit into
Conversation
HTTP header names are case-insensitive, and the field names listed in a Vary header value are too. hasVaryServiceWorkerHeader matched the name against the lowercase literal 'vary' and the value against 'Service-Worker', so a canonical 'Vary: Service-Worker' response header was not detected. This is the only place a response header name is compared without first lowercasing it (cf. getCSPHeadersFromWebRequestResponse and setUpWebRequestsListener). Normalize both name and value before matching and add tests covering the casing variants.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
hasVaryServiceWorkerHeadercompared the response header name against the lowercase literal'vary'and the value against'Service-Worker', both case-sensitively:HTTP header names are case-insensitive, and servers send the canonical
Varyheader capitalized. As a result a perfectly validVary: Service-Workerresponse header was not detected. The field names listed in aVaryvalue are header names too, so they are likewise case-insensitive.This is the only place in the codebase where a response header name is compared without first lowercasing it — compare
getCSPHeadersFromWebRequestResponse(header.name.toLowerCase() === 'content-security-policy') andsetUpWebRequestsListener(header.name.toLowerCase().includes('x-content-type-options')).Downstream,
isServiceWorker(content.ts) is derived from this check and controls whether theService-Worker: scriptrequest header is sent when re-fetching, so a miss here can fetch the wrong resource variant.Fix
Normalize both name and value to lower case before matching.
Test plan
Added
src/js/__tests__/hasVaryServiceWorkerHeader-test.jscovering lowercasevary, the canonical capitalizedVary, a lowercaseservice-workertoken in the value, the negative case, and missing response headers. Verified failing before the fix (capitalized-name and lowercase-value cases) and passing after.Full suite:
11 passed, 97 tests passed(was 92), no regressions.