Closed cristaloleg closed 1 month ago
I can't recall why we allow zero headers and I don't see a reason to allow this. I guess this is an oversight? I would prefer to disallow that rather than documenting its allowed.
Yep, for me it also sounds like an oversight. During discussion with Rene was mentioned that it doesn't bite us (yet!) 'cause we do validation on a higher level.
However, this lib can and is used in the wild. Which may bring bugs to the users. Gonna add validation to the trusted header. Thanks.
@renaynay I renamed the PR.
Overview
This was shortly discussed with @renaynay. We agreed on documenting that zero trusted header is allowed but untrusted header cannot be zero. Theoretically we can enforce non-zero headers for both but this requires a bit wider discussion inside the team (which we can make in this PR).