Comments (7)
I've long held the position that ASGI's position is not to be a low-level HTTP library but a useful abstraction that works for 95% of apps, and so given that I agree we should ban pseudo-headers from going through and we should synthesise a Host header.
from asgiref.
I'd have to read up more on pseudo-headers to know how they need to be mapped, but I agree they should be stripped out of the scope's headers, as that's meant for traditional-style headers.
As for :authority
, I suspect we should synthesise a Host header, but it would be nice to know if there's any precedent for this among existing HTTP/2 servers?
from asgiref.
In terms of Python servers, I think hypercorn
is the only one which handles HTTP/2 internally. AFAICT hypercorn
does not explicitly handle :authority
and passes all the pseudo-headers through to the ASGI app.
I'll let @pgjones confirm this is the case, but running Django 2.2 (wrapped in WsgiToAsgi) behind hypercorn triggered a host validation error, which is what caused me to investigate the situation.
If you're using quart
as your framework you're in luck (otherwise you are not!):
In my demo HTTP/3 server I synthesise a Host
header and do not pass any pseudo-headers to the ASGI app:
Looking beyond the Python ecosystem, nginx synthesises a Host
header and does not pass through pseudo-headers when acting as a proxy. If you are running any Django apps behind an http2-enabled nginx this is why it "just works".
from asgiref.
I've started to think of authority
as much a part of the HTTP request semantics as path, method, and scheme. I think this is what HTTP/1.0 implicitly says (with a mandatory Host header) and HTTP/2 & HTTP/3 explicitly say. For this reason I think ASGI servers should extract it and put it into the scope as the authority
field (better name in my view than host). This has the advantage of putting all the HTTP request semantics together, allows apps to ignore HTTP version differences (which should be a server problem), and finally makes it clear that apps shouldn't just look for a host header (which doesn't exist in 2 & 3). I'd rather the "fudge" of creating a host header be left up to applications to do.
I'm currently happy to pass the pseudo headers through as it doesn't seem likely to cause a problem, I'd be just as happy to filter them out.
from asgiref.
I guess there's either:
- Have HTTP/2 servers fill in a
Host
header. - Have all servers fill in an
authority
scope (although possibly making it optional/None-able, since it's being newly introduced.)
I think we should probably mandate that pseudo headers should not be included in the headers
scope, since we'll steer usages towards better interoperability without them being present.
from asgiref.
I'm 100% for forbidding pseudo-headers in headers
right now.
As for Host
vs an authority
scope, I'm (weakly) in favour of synthesising a Host
header, primarily to give us instant compatibility with existing frameworks.
from asgiref.
See #123.
from asgiref.
Related Issues (20)
- Add Type Annotations to `asgiref` Module HOT 1
- Add Type Annotations to `asgiref` Module Functions HOT 2
- Parameters to Generic[...] must all be type variables when use with sys.setprofile HOT 3
- Can asig http extensions be used in WebSocket Denial Response? HOT 2
- Using asyncio.shield hangs/deadlocks when used with sync middleware. HOT 10
- What am I allowed to do with the send/receive callables? HOT 1
- Wording: should “extra coroutines” actually be “extra tasks”? HOT 4
- async_to_sync does not use the correct thread when used as decorator HOT 3
- Contradiction between general and HTTP-specific sections on handling of send on a closed connection HOT 2
- `PATH_INFO` set incorrectly by `WsgiToAsgiInstance.build_environ()` HOT 1
- Compatibility with gevent monkey-patching? HOT 1
- Failure in exception handling in current_thread_executor.py _WorkItem.run() HOT 1
- Why `http.response.start` exists? HOT 1
- sdist is missing `tox.ini` HOT 1
- Task was destroyed but it is pending! HOT 1
- Regression in v3.8.0 HOT 9
- Issue in sync.py's SyncToAsync class as new ThreadPoolExecutor executors with daemon threads getting created for requests. HOT 4
- Spec question: `websocket.disconnect` doesn't support the `reason` field HOT 10
- Suggestion: set `NotRequired` on all fields that aren't required HOT 8
- DatabaseError with new version of asgiref HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from asgiref.