Duplicate HTTP headers should be removed

Created on 17 March 2017, about 7 years ago
Updated 3 April 2024, 10 days ago

Problem/Motivation

Came across a site recently which output duplicate HTTP headers for example:

Link: </node/123>; rel="shortlink"
Link: </node/123>; rel="revision"
Link: </node/123>; rel="shortlink"
Link: </node/123>; rel="revision"

Eventually the duplicate headers were sufficient for Varnish (4) to throw an error, along the lines of:

--  BogoHeader     Too many headers: Link: </node/123/trans
--  HttpGarbage    "HTTP/1.1%00"
--  BerespStatus   503
--  BerespReason   Service Unavailable
--  FetchError     http format error

This happened when these sets of headers were each being emitted 4 times:

$ curl -SLIXGET example.com | grep '^Link' | sort | uniq -c

      4 Link: </devel/node/123/definition>; rel="devel-definition"
      4 Link: </devel/node/123>; rel="devel-load"
      4 Link: </devel/node/123/render>; rel="devel-render"
      4 Link: </node/123/delete>; rel="delete-form"
      4 Link: </node/123/devel/token>; rel="token-devel"
      4 Link: </node/123/edit>; rel="edit-form"
      4 Link: </node/123/manage_display>; rel="display"
      4 Link: </node/123>; rel="revision"
      4 Link: </node/123>; rel="shortlink"
      4 Link: </node/123/revisions>; rel="version-history"
      4 Link: </node/123/translations/add>; rel="drupal:content-translation-add"
      4 Link: </node/123/translations/delete>; rel="drupal:content-translation-delete"
      4 Link: </node/123/translations/edit>; rel="drupal:content-translation-edit"
      4 Link: </node/123/translations>; rel="drupal:content-translation-overview"

It's almost certain that the site is doing something wrong in order to be generating these duplicate headers.

However, should core prevent the duplicate headers from being output? It's relatively simple to do so.

Patch on the way which implements this - would welcome any opinions on whether this is core's responsibility though.

The related RFC is RFC 9110 HTTP Semantics.

Steps to reproduce

See https://www.drupal.org/project/drupal/issues/2861552#comment-12120985 ๐Ÿ› Duplicate HTTP headers should be removed RTBC and https://www.drupal.org/project/drupal/issues/2861552#comment-15144040 ๐Ÿ› Duplicate HTTP headers should be removed RTBC
Basically duplicate headers set through code in Event Listener or in render array is the issue.
To verify the issue see response headers in network tab.

This issue is also present when a custom views cache plugin sets http_header values in \Drupal\views\Plugin\views\cache\CachePluginBase::postRender(). The render array manipulated in that function is essentially the wrapping $views->element array but passed by referenced, resulting in the #attached being duplicated twice. One could say this issue is better left to be handled within \Drupal\Core\Render\BubbleableMetadata::mergeAttachments() just like we do for drupalSettings and placeholders

A sample render array to replicate the bug is as follows:

[
  'child' => [
    '#markup' => 'child_markup',
    '#attached' => [
      'http_header' => [
        [
          'Expires',
          'Thu, 04 Apr 2024 00:00:00 GMT',
        ],
      ],
    ],
  ],
  '#attached' => [
    'http_header' => [
      [
        'Expires',
        'Thu, 04 Apr 2024 00:00:00 GMT',
        // We can pass a third TRUE array value here to always override. But probably shouldn't be necessary.
      ],
    ],
  ],
];

Proposed resolution

Remove duplicate headers from response (only if the value is the same as there are still smaller use cases where you might want multiple header values).

Remaining tasks

Decide which solution is preferred, #18 ๐Ÿ› Duplicate HTTP headers should be removed RTBC , which prevents the addition of duplicate headers or the latest MR which removes duplicate headers.

User interface changes

N/A

API changes

N/A

Data model changes

N/A

Release notes snippet

N/A

๐Ÿ› Bug report
Status

Needs work

Version

11.0 ๐Ÿ”ฅ

Component
Renderย  โ†’

Last updated about 15 hours ago

Created by

๐Ÿ‡ฌ๐Ÿ‡งUnited Kingdom mcdruid ๐Ÿ‡ฌ๐Ÿ‡ง๐Ÿ‡ช๐Ÿ‡บ

Live updates comments and jobs are added and updated live.
  • Needs issue summary update

    Issue summaries save everyone time if they are kept up-to-date. See Update issue summary task instructions.

  • Needs subsystem maintainer review

    It is used to alert the maintainer(s) of a particular core subsystem that an issue significantly impacts their subsystem, and their signoff is needed (see the governance policy draft for more information). Also, if you use this tag, make sure the issue component is set to the correct subsystem. If an issue significantly impacts more than one subsystem, use needs framework manager review instead.

Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates : some issue and comment data are missing.

Production build https://api.contrib.social 0.62.1