You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When the package manager sets an authorization header on a url request, and is using the URLSessionHTTPClient as underlying http client, it's misusing URLSession/URLRequest since the "Authorization" header is a reserved one on macOS:
See https://developer.apple.com/documentation/foundation/urlrequest
and linked https://developer.apple.com/documentation/foundation/nsurlrequest#1776617
> Reserved HTTP Headers
> The URL Loading System handles various aspects of the HTTP protocol for you (HTTP 1.1
> persistent connections, proxies, authentication, and so on). As part of this support, the URL > Loading System takes responsibility for certain HTTP headers:
> ...
> Authorization > ...
> If you set a value for one of these reserved headers, the system may ignore the value you set, or overwrite it with its own value, or
> simply not send it. Moreover, the exact behavior may change over > time. To avoid confusing problems like this, do not set these headers directly.
Code Details
The package manager has an authorization provider mechanism for URL requests:
(which I believe happens always at least on macOS), the header values are set using request.addValue(header.value, forHTTPHeaderField: header.name)
on an URLRequest here:
Environment
macOS
Additional Detail from JIRA
md5: 2319ff00230245d8f90e2f2a01e4ccb4
Issue Description:
Summary
When the package manager sets an authorization header on a url request, and is using the URLSessionHTTPClient as underlying http client, it's misusing URLSession/URLRequest since the "Authorization" header is a reserved one on macOS:
See https://developer.apple.com/documentation/foundation/urlrequest
and linked https://developer.apple.com/documentation/foundation/nsurlrequest#1776617
> Reserved HTTP Headers
> The URL Loading System handles various aspects of the HTTP protocol for you (HTTP 1.1
> persistent connections, proxies, authentication, and so on). As part of this support, the URL > Loading System takes responsibility for certain HTTP headers:
> ...
>
Authorization
> ...
> If you set a value for one of these reserved headers, the system may ignore the value you set, or overwrite it with its own value, or
> simply not send it. Moreover, the exact behavior may change over
> time. To avoid confusing problems like this, do not set these headers directly.
Code Details
The package manager has an authorization provider mechanism for URL requests:
swift-package-manager/Sources/Basics/AuthorizationProvider.swift
Lines 20 to 22 in 85189ac
HTTPClient sets the Authorization header based on the value given from the authorization provider here:
swift-package-manager/Sources/Basics/HTTPClient.swift
Lines 101 to 103 in c313dea
When the `HTTPClient` is using the `URLSessionHTTPClient` as the underlying client:
swift-package-manager/Sources/Basics/HTTPClient.swift
Line 71 in c313dea
(which I believe happens always at least on macOS), the header values are set using
request.addValue(header.value, forHTTPHeaderField: header.name)
on an URLRequest here:
swift-package-manager/Sources/Basics/HTPClient+URLSession.swift
Lines 199 to 201 in 751f0b2
The text was updated successfully, but these errors were encountered: