Open KhafraDev opened 7 months ago
Agree with the statement that these scenarios should be handled by the users rather than undici
or fetch
doing its best guest to cover that up.
However, I'm a little over the fence if this is something that should be changed within undici
or maybe a documentation improvement to be done. Especially as it feels pretty unique to multipart/form-data
(at least for now).
Should we consider adding a documentation improvement and a possible warning before considering it to throw
?
As said earlier, the only thing that it worries me is that this is becomes pretty specific to multipart/form-data
only
I would keep supporting it in request()
and override it in fetch()
.
Especially as it feels pretty unique to multipart/form-data (at least for now).
It is unique to multipart/form-data, as without the boundary type provided in the content-type header, it can't be parsed. https://datatracker.ietf.org/doc/html/rfc7578
"boundary" is now a required parameter in Content-Type.
I would keep supporting it in request() and override it in fetch().
Here's where we'd implement the logic. I wonder if we should take a look at reimplementing a subset of forbidden headers as we've had nothing but issues (host
header) and security vulnerabilities (cookie
, authorization
, proxy-authorization
) by not implementing them. Originally I wanted to follow Deno's behavior, but I'm second guessing my judgement... I know ronag's disapproved removing them too, way back when.
IMHO those are needed for compat with the rest of the Node.js ecosystem.
SGTM on the implementation of in request.
Should undici throw an error when sending a FormData body, either via request or fetch, when providing a content-type header?
The following will "work", but will cause the server to be unable to parse the formdata:
note: this is an actual sample of code someone asked me to help them fix, as the endpoint was giving them a 400 status code (but working with curl)
There are two different issues here:
The solutions are:
IMO when sending a FormData body there should never be an expectation of being able to send any other content-type, as without the undici-generated header, it literally can't be parsed by the server. I'd prefer throwing an error because there shouldn't be an expectation that these issues will get fixed by undici.