-
-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Behavior of header matching should treat field names as case-insensitive, but not values #1360
Comments
@scottashipp thanks for the details:
|
@scottashipp it would be great if you can try the |
Great I will verify today! |
I have confirmed that the |
@ptrthomas will this fix be part of next release? |
@ilamn yes, you can try this now in 0.9.9.RC3 - please read https://github.com/intuit/karate/wiki/1.0-upgrade-guide |
Thanks. I tried in 0.9.9.RC3 . still fails for me. And def cookie = responseHeaders['Set-Cookie'][0] And def cookie = responseHeaders['set-cookie'][0]
|
@ilamn before I look at the zip file may I mention:
so please re-confirm |
yes @ptrthomas I confirm
Thanks a lot for your time. |
@ilamn awesome, indeed our miss. would be great if you can build from source and confirm: https://github.com/intuit/karate/wiki/Developer-Guide |
Thanks a lot for the quick turnaround @ptrthomas . can confirm it works now. is there any further RC planned ? would be nice if there is one, so that I can use the fix at my work. |
@ilamn yes I can confirm the last RC4 will go out this week |
Overview
First, the default behavior of Karate is incorrect in how it handles the matching of header field names. It treats them in a case-sensitive manner, which is incorrect, as will be explained below.
Second, the documentation is (perhaps inadvertently) misleading in that it suggests that both header field names and header field values are treated case-insensitive according to the HTTP spec.
Problem 1 Detailed
For Karate to correctly follow the HTTP Spec for headers, it should have default behavior as follows:
match header <field-name> == // etc..
the field name in question should be found no matter what case it is supplied in.For example, whether or not the user enters
vary
orVary
here, and whether or not it is returned in the response asvary
orVary
, or even asvArY
, it should match.Problem 1 Explanation
The HTTP spec specifies that:
It explicitly does not specify the same for field values, thus indicating that field values should be treated in a case-sensitive manner.
For further proof of this, consider that the curl command lowercases all header field names by default, but not the field values.
In issue 504, the same issue was raised, but the decision appears to have been to introduce a secondary feature that can be toggled on to configure lower-casing of both header field names and header field values prior to when matching occurs. That is fine as an additional feature since it is documented, but that solution also does not meet the spec because it lowercases both the header field names and header field values.
The bottom line is that Karate does not adhere to the HTTP spec in either the default configuration or when
lowerCaseResponseHeaders
has been set totrue
.Problem 1 Proposed solution
By default, Karate should match header field names in a case-insensitive way.
Problem 2 Detailed
The README documentation incorrectly states the following:
Problem 2 Explanation
The README statement is incorrect. Headers are not case-insenstive according to the spec. Field names are.
Problem 2 Proposed Solution
The README should be reworded to something like the following:
Zip repro
The attached zip file contains a minimal, complete, and verifiable example. The scenario therein should succeed if Karate's default behavior correctly reflected the HTTP spec because the value in the response from the fake JSON service (at least at the time of this writing) is as follows:
Which means that the
And match header vary == 'Origin, Accept-Encoding'
assertion should succeed. Currently it fails.The text was updated successfully, but these errors were encountered: