This change allows for a few extra characters which are very common across the current web to be used in the header field values for the websocket handshake/upgrade request.
Reasoning
Space: This is used in the Authorization header to separate the type and credentials, it is also very common in User-Agent's too when separating each product field.
( and ): This is used in the User-Agent header when specifying extra system or platform details.
, and ;: Many common headers that specify "things which are allowed or disallowed" or "lists of things", these use comma/semicolon-seperated values. Examples include Accept, Accept-Encoding, Content-Type and Connection.
: and /: The Host, Origin and Referer headers can have these characters in their values to separate IP address and port, or after the scheme. Also, base64 uses a / as one of its characters and header values can sometimes be encoded to base64 if special characters are being transferred.
=: Used when a header contains key-value pairs, such as Cookie and Range.
Notes
Instead of modifying headerRegex, I split the pattern for the header field name and field value into two patterns (the same as cookie) for finer control, since all the characters I've added to the header field value pattern should not be used in header field names.
There's a few characters in the header field name pattern which shouldn't be there (such as ~, |, *, etc.), but I've decided to leave them for backwards compatibility (in case someone is using them, for whatever reason).
Summary
This change allows for a few extra characters which are very common across the current web to be used in the header field values for the websocket handshake/upgrade request.
Reasoning
(
and)
: This is used in the User-Agent header when specifying extra system or platform details.,
and;
: Many common headers that specify "things which are allowed or disallowed" or "lists of things", these use comma/semicolon-seperated values. Examples include Accept, Accept-Encoding, Content-Type and Connection.:
and/
: The Host, Origin and Referer headers can have these characters in their values to separate IP address and port, or after the scheme. Also, base64 uses a/
as one of its characters and header values can sometimes be encoded to base64 if special characters are being transferred.@
: Used in Email addresses in the From header.=
: Used when a header contains key-value pairs, such as Cookie and Range.Notes
headerRegex
, I split the pattern for the header field name and field value into two patterns (the same as cookie) for finer control, since all the characters I've added to the header field value pattern should not be used in header field names.~
,|
,*
, etc.), but I've decided to leave them for backwards compatibility (in case someone is using them, for whatever reason).