search

alphagov / govuk-developer-docs

📖 Tech docs for everyone working on GOV.UK
https://docs.publishing.service.gov.uk
MIT License
111 stars 31 forks source link

`govuk-abtest` Headers Appearing in requests to our API #1563

Closed MatthewDailey closed 5 years ago

MatthewDailey commented 5 years ago

We had a user from the UK write in that they were receiving an error on a specific route to our service because they appeared unauthenticated for this specific request. The were able to interact with the site and send successful requests to other route before and after this failing request.

When we looked in to it, we saw that their browser appeared to be sending our cookie but our service was not receiving the cookie and was instead receiving a request with headers that look like govuk-abtest-* cookie values.

This is pretty inexplicable to us, especially given that we use CloudFront as a CDN and not Fastly. Do you have any idea what's going on here?

Here's the request :

{ 'x-real-ip': '<redacted>',
  'x-forwarded-for': '<redacted>',
  'x-forwarded-proto': 'https',
  host: 'www.figma.com',
  'x-nginx-proxy': 'true',
  'content-length': '2819252',
  origin: 'https://www.figma.com',
  'user-agent':
   'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36',
  'x-csrf-bypass': 'true',
  'content-type': 'image/png',
  accept: '*/*',
  'govuk-abtest-contentpagesnav': 'B',
  'govuk-abtest-tasklistsidebar': 'B',
  'govuk-abtest-tasklistheader': 'B',
  'govuk-abtest-guidechapternav': 'B',
  'govuk-abtest-contextualcomms': 'BlueBoxCampaign',
  'govuk-abtest-topicpagestest': 'A',
  referer: '<redacted>',
  'accept-encoding': 'gzip, deflate, br',
  'accept-language': 'en-GB,en-US;q=0.9,en;q=0.8' }
tijmenb commented 5 years ago

Hi @MatthewDailey, sorry for the late reply. Does this customer have any relationship with GOV.UK? Normal browsers wouldn't ever send the govuk-abtest-* header, they would use a cookie (which Fastly then translates to the govuk-abtest-* header).

However, we internally have tools that set the header (https://github.com/alphagov/govuk-browser-extension). That's the only thing I can think of at the moment.

MatthewDailey commented 5 years ago

Thanks for getting back to me!

A browser extension seems like a reasonable explanation for this.