-
-
Notifications
You must be signed in to change notification settings - Fork 984
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for plain asterisk route #976
base: master
Are you sure you want to change the base?
Conversation
Curious what usecase you have that you've run into this? I wouldn't expect session details to be relevant to an OPTIONS request regardless of the URL. If we took this it would be to ensure consistency, but Im not certain it doesn't have knock on effects or vulnerabilities this could open up. An options request with wildcard URL is an edgecase. It's valid under the spec, but is considered a noop and edgecase even by the spec:
|
Consistency is the reason I made the pull request. Right now the
I checked my server's logs and found out that it had received some |
Hmmm very interesting! At the least the codepath in the diff is not spec compliant in source today bc options requests have a special affordance that they can use a wildcard here. But are wildcard options requests the only reason |
Correct. As far as I know, wildcard options requests are the only reason |
Actually this isn't a spec issue. The spec informs that this is a valid request, and Node lets it through because of that. But whether the request matches the path we've configured is up for debate. We're comparing the path option for cookies to the request's path. The semantics of cookie path matching and wildcard requests don't map well to each other. Given a specific path like: But the default is I don't think anyone else handles this, fastify session would also not match the path for example. So if a change was going to be taken, it should be to treat a wildcard as semantically the same as when the cookie path is set to all subdirs. Because apparently HTTP has more than one way to express "all subdirs" by way of the options wildcard request-target. TIL (note: should anyone bother with sessions on OPTIONS? also up for debate! but the reality is rn we would dress all options requests in sessions with the default settings, except these wildcard ones) |
Just opened #977 as a draft. Feel free to use it in your PR if you agree with it. Don't wanna snatch the glory from you if this does get taken. It's a draft bc I didn't add a test for this or even test it ad hoc 😉 |
When an
OPTIONS
request with a plain asterisk (*) as the URL is made to the server, the session object is not getting attached to thereq
object.To replicate the issue:
JS code:
Client command:
curl -X OPTIONS --request-target "*" example.com -i
Expected:
req.session
not beingundefined
regardless of the requestActual:
req.session
isundefined