http2 client drops response headers if the value ends with a space

[timostamm]

Version

v23.6.1, v22.13.1, v20.18.2, v18.20.6

Platform

Darwin xxx 24.1.0 Darwin Kernel Version 24.1.0: Thu Oct 10 21:03:15 PDT 2024; root:xnu-11215.41.3~2/RELEASE_ARM64_T6000 arm64

Subsystem

http2

What steps will reproduce the bug?

Any response header value that starts or ends with a space or tab character is omitted in the HTTP/2 headers object of the response.

The server sends:

  res.writeHead(200, {
    "key1": "foo ",
    "key2": " foo",
    "key3": "foo\t",
    "key4": "\tfoo",
    "key5": "foo",
  })
;

The http2 client receives:

[Object: null prototype] {
  ':status': 200,
  key5: 'foo',
  date: 'Wed, 22 Jan 2025 13:03:04 GMT',
  [Symbol(nodejs.http2.sensitiveHeaders)]: []
}

Script to reproduce

import { createServer, connect } from "node:http2";

const port = 8011;

const server = createServer(async (req, res) => {
  res.writeHead(200, {
    "key1": "foo ",
    "key2": " foo",
    "key3": "foo\t",
    "key4": "\tfoo",
    "key5": "foo",
  });
  res.end();
});
server.listen(port, () => {
  // Alternatively, comment out call(), and run:
  // curl -v http://localhost:8011 --http2-prior-knowledge
  // This will show response headers with surrounding whitespace, proving that the issue is in the client.
  call();
});

function call() {
  const session = connect(`http://localhost:${port}`);
  session.on("error", (err) => console.error(err));
  const stream = session.request({
    ":path": "/",
  });
  stream.on("response", (headers, flags) => {
    console.log("client received response headers:", headers);
  });
  stream.on("end", () => {
    session.close();
    server.close();
  });
  stream.end();
}

How often does it reproduce? Is there a required condition?

Always, for response header values that start or end with a space or tab character.

What is the expected behavior? Why is that the expected behavior?

I expect to receive trimmed field values. I do not expect fields to be silently dropped.

Expected output:

[Object: null prototype] {
  ':status': 200,
  key1: 'foo',
  key2: 'foo',
  key3: 'foo',
  key4: 'foo',
  key5: 'foo',
  date: 'Wed, 22 Jan 2025 13:03:04 GMT',
  [Symbol(nodejs.http2.sensitiveHeaders)]: []
}

What do you see instead?

Omitted header fields key 1 to 4:

[Object: null prototype] {
  ':status': 200,
  key5: 'foo',
  date: 'Wed, 22 Jan 2025 13:03:04 GMT',
  [Symbol(nodejs.http2.sensitiveHeaders)]: []
}

Additional information

RFC 7540 states:

Any request or response that contains a character not permitted in a header field value MUST be treated as malformed (Section 8.1.2.6). Valid characters are defined by the "field-content" ABNF rule in Section 3.2 of [RFC7230].

RFC 7230 states:

Each header field consists of a case-insensitive field name followed by a colon (":"), optional leading whitespace, the field value, and optional trailing whitespace.

header-field   = field-name ":" OWS field-value OWS
[...]
field-value    = *( field-content / obs-fold )
field-content  = field-vchar [ 1*( SP / HTAB ) field-vchar ]

Appendix B defines OWS = *( SP / HTAB ).

Based on this definition, I expect space and tab around field-content to be permitted in a header-field, but to be discarded when parsing the field-value.

[islandryu]

Probably, nghttp2 supports the contents of RFC 9113.

https://www.rfc-editor.org/rfc/rfc9113.html#section-8.2.1

A field value MUST NOT start or end with an ASCII whitespace character (ASCII SP or HTAB, 0x20 or 0x09).

[gurgunday]

I think it should be rejected. 9113 prohibits those.

[evaks]

I think should not rejected this is for server request and fine to reject, as the spec says
When a request message violates one of these requirements, an implementation SHOULD generate a 400 (Bad Request) status code

But a client cannot just reject that ignore that field for example in my case a proxy, it will simply lose the header and there is no way to get the header from the server, other than implementing your own http2 protocol. Especially since browsers do not ignore that header.