search

phusion / passenger

A fast and robust web server and application server for Ruby, Python and Node.js
https://www.phusionpassenger.com/
MIT License
5.01k stars 548 forks source link

Forced Status HTTP header #2046

Open aleksandrs-ledovskis opened 6 years ago

aleksandrs-ledovskis commented 6 years ago

Question 1: What is the problem?

Passenger force-adds Status HTTP header to responses.

Status header is not set unless passed from application backend.

Status header is non-filterable in Nginx/Apache HTTPd, unless wriggling it out with some custom code/third-party module (e.g. ngx_headers_more)

Your answer: Default install of Nginx + Passenger + Rails. Curl URL and witness Status header being present.

Question 2: Passenger version and integration mode:

Your answer: Open source 5.2.1/Nginx

Question 3: OS or Linux distro, platform (including version):

Your answer: N/A

Question 4: Passenger installation method:

Your answer: N/A

Question 5: Your app's programming language (including any version managers) and framework (including versions):

Your answer: N/A

Question 6: Are you using a PaaS and/or containerization? If so which one?

Your answer: N/A

Question 7: Anything else about your setup that we should know?

Your answer: Not really, all defaults.

According to Nginx module and Apache module source code it is a non-bug behaviour which traces itself back to 2008 and following Google Groups discussion.

Some 5 years ago this same observation was reported by user, yet answer was mirroring the source code's comment, i.e:

because there are broken HTTP clients out there that depend on the existence of this header.

Original issue linked back to now 404-ed post, which now resides at http://monsur.hossa.in/2007/12/28/XmlHttpRequest-status-and-statusText.html (https://archive.is/B6oaE). There are references to XHR-quirks of long dead browser versions like IE6, FF2.0 and Opera 9.

Can Phusion team (or anyone for that matter) inform if there is any known breakage that lack of Status header causes in year 2018?

For further consideration, Nginx has included Status filtering from upstreams like FCGI, SCGI for many years, albeit making it reversible via fastcgi_pass_header/scgi_pass_header.

My proposal is to include Status into list of filterable headers. For extra safety (if deemed necessary), a new configuration option can be added which mimics fastcgi_pass_header/scgi_pass_header behaviour.

FooBarWidget commented 6 years ago

I don't know of any known broken clients in 2018 that depend on the Status header. Your proposal to disable it by default, yet allowing it to be put back via a config option, seems reasonable.

aleksandrs-ledovskis commented 6 years ago

Thanks for prompt reply! Would Phusion team take this one up, or are you more leaned towards OSS contribution?

FooBarWidget commented 6 years ago

We would be happy to accept a contribution. Though you should know that new contributors need to sign our contributor agreement.