fix(res.send): add Content-Length header only if Transfer-Encoding is not present#4893
Conversation
dougwilson
left a comment
There was a problem hiding this comment.
Please add a test that fails without this change and passes with it so the fix does not regress.
|
Hey @dougwilson , |
|
Hey, sorry I was just trying to get the new release out. It looks like you still need to add a test for the change to res.redirect, as that was changed too. I also took a look in the Node.js source and they also have logic for content-length vs transfer-encoding, but node.js only does stuff if transfer-encoding contains chunked while here is it any value (even a single space character). Is that intentional? Should we follow what the node.js logic is? It may help if the underlying issue you ran in to for this change was disclosed. |
|
Hey @dougwilson, About the issue we are running in. |
|
Ah, ok. Can you add tests for other values of transfer-encoding besides chunked as well, then? We want to make sure that res.send will work with other values too. As for mocking exact replicas of other apis, you typically want to use the lower-level apis for that like res.write and res.end instead of res.send. |
|
Hey @dougwilson, Regards, |
|
Hey! It's no problem at all :) Thanks for adding to the tests. But I think there is an issue with them: though you added other values, it does not seem like res.send is actually honoring them. For example, if you have Transfer-Encoding: gzip set, can the test show that res.send will actually send it as gzip? Example I would expect |
|
Hey @dougwilson! Can we actually test that our response transforms to gzip? I think its very low level and I'm not sure that nodejs can transform our response to gzip/compress/deflate. Because I did not find any mentions about Of course tools like I have a suggestion to check our response for having a Please, correct me guys if I’m wrong. Thank you! |
eb10dba to
340be0f
Compare
|
You can check the spec for transfer-encoding at https://datatracker.ietf.org/doc/html/rfc9112#name-transfer-encoding The very first example shows how it can invlue gzip. |
|
@dougwilson Do you expect that response has corresponding |
bjohansebas
left a comment
There was a problem hiding this comment.
LGTM. Some considerations to keep in mind are that Transfer-Encoding might indicate that the response is gzip or some other encoding, while the data being sent is actually not transformed to that encoding. I’d say that responsibility lies with the developer to ensure the data is sent in the correct format—there’s no real way for Express to validate that, and I don’t think we should limit ourselves to only checking whether transfer-encoding has the value chunked. Regardless of the value, those two headers must not be present together.
There was a problem hiding this comment.
Im on the fence here. The response is malformed bc of user action.
Using res.send was the wrong tool for the reporter’s use case. But since res.send already tries to set appropriate headers and respects other user set headers, checking for this edge case makes sense for consistency.
Compliant clients/intermediaries favor Transfer-Encoding over Content-Length, so removing the conflict only reduces risk.
Im trying to think through if taking a change here increases or reduces possible malformed responses folks can send, hence being on the fence.
Edit: I can only see how it reduces the number of malformed responses possible. As any compliant client should already be ignoring content length when transfer-encoding is present. So removing content-length when transfer-encoding is present should be a noop for compliant clients.
Intent
Content-LengthandTransfer-Encodingcan't be present in the response headers together,Content-Lengthshould be added only if there is noTransfer-Encodingheader.