Skip to content

Match Vary: Service-Worker response header case-insensitively#382

Open
durvesh1992 wants to merge 1 commit into
facebookincubator:mainfrom
durvesh1992:fix/vary-service-worker-header-case
Open

Match Vary: Service-Worker response header case-insensitively#382
durvesh1992 wants to merge 1 commit into
facebookincubator:mainfrom
durvesh1992:fix/vary-service-worker-header-case

Conversation

@durvesh1992

Copy link
Copy Markdown

Summary

hasVaryServiceWorkerHeader compared the response header name against the lowercase literal 'vary' and the value against 'Service-Worker', both case-sensitively:

header.name.includes('vary') &&
header.value?.includes('Service-Worker')

HTTP header names are case-insensitive, and servers send the canonical Vary header capitalized. As a result a perfectly valid Vary: Service-Worker response header was not detected. The field names listed in a Vary value are header names too, so they are likewise case-insensitive.

This is the only place in the codebase where a response header name is compared without first lowercasing it — compare getCSPHeadersFromWebRequestResponse (header.name.toLowerCase() === 'content-security-policy') and setUpWebRequestsListener (header.name.toLowerCase().includes('x-content-type-options')).

Downstream, isServiceWorker (content.ts) is derived from this check and controls whether the Service-Worker: script request header is sent when re-fetching, so a miss here can fetch the wrong resource variant.

Fix

Normalize both name and value to lower case before matching.

Test plan

Added src/js/__tests__/hasVaryServiceWorkerHeader-test.js covering lowercase vary, the canonical capitalized Vary, a lowercase service-worker token in the value, the negative case, and missing response headers. Verified failing before the fix (capitalized-name and lowercase-value cases) and passing after.

Full suite: 11 passed, 97 tests passed (was 92), no regressions.

HTTP header names are case-insensitive, and the field names listed in a
Vary header value are too. hasVaryServiceWorkerHeader matched the name
against the lowercase literal 'vary' and the value against 'Service-Worker',
so a canonical 'Vary: Service-Worker' response header was not detected.

This is the only place a response header name is compared without first
lowercasing it (cf. getCSPHeadersFromWebRequestResponse and
setUpWebRequestsListener). Normalize both name and value before matching
and add tests covering the casing variants.
@meta-cla meta-cla Bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant