{{ message }}
http2: validate non-link headers in writeEarlyHints#62017
Merged
nodejs-github-bot merged 1 commit intoMay 15, 2026
Merged
Conversation
Member
Sorry, something went wrong.
Collaborator
|
Review requested:
|
Sorry, something went wrong.
nodejs-github-bot
added
http
Issues or PRs related to the http subsystem.
http2
Issues or PRs related to the http2 subsystem.
needs-ci
PRs that need a full CI run.
labels
Feb 27, 2026
There was a problem hiding this comment.
Pull request overview
This PR hardens writeEarlyHints() by validating non-link headers (names + values) before emitting 103 Early Hints, aligning behavior with other header-writing code paths across the HTTP stack.
Changes:
- Add
validateHeaderName()/validateHeaderValue()checks for non-linkearly hints in the HTTP/1.1 server response path. - Add
assertValidHeader()checks for non-linkearly hints in the HTTP/2 compat server response path. - Add/extend parallel tests covering invalid early-hints header name/value handling for HTTP/1.1 and HTTP/2.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
lib/_http_server.js |
Validates non-link early-hints header names/values before writing the 103 response. |
lib/internal/http2/compat.js |
Validates non-link early-hints headers in the HTTP/2 compat layer before sending informational headers. |
test/parallel/test-http-early-hints-invalid-argument.js |
Adds assertions for invalid early-hints header names and CRLF in values (HTTP/1.1). |
test/parallel/test-http2-compat-write-early-hints-invalid-header.js |
Adds assertions for invalid early-hints header names and invalid values (HTTP/2 compat). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Sorry, something went wrong.
mcollina
force-pushed
the
http-early-hints-validate-headers
branch
3 times, most recently
from
bf5cf85 to
69e6ce4
Compare
February 27, 2026 12:36
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #62017 +/- ##
==========================================
+ Coverage 90.03% 90.05% +0.01%
==========================================
Files 713 714 +1
Lines 224950 225246 +296
Branches 42530 42576 +46
==========================================
+ Hits 202541 202840 +299
+ Misses 14184 14180 -4
- Partials 8225 8226 +1
🚀 New features to boost your workflow:
|
Sorry, something went wrong.
lpinca
approved these changes
Feb 27, 2026
Member
|
semver-major? |
Sorry, something went wrong.
pimterry
requested changes
Mar 2, 2026
pimterry
left a comment
pimterry
left a comment
Member
There was a problem hiding this comment.
There's conflicts here due to the preceding PR (#61897) that covered some of this already. I imagine you're aware of that since you approved it 😆
The key difference is that this handles the HTTP/2 side - once the conflicts are fixed, can we update the commit message to make it clear this change just fixes the HTTP/2 compat API?
Sorry, something went wrong.
RafaelGSS
approved these changes
Mar 2, 2026
Member
Author
|
I review endless stream of PRs 😰 |
Sorry, something went wrong.
mcollina
force-pushed
the
http-early-hints-validate-headers
branch
from
69e6ce4 to
0ed213a
Compare
May 13, 2026 13:17
Validate header names and values for non-link hints passed to writeEarlyHints() in the HTTP/2 compat layer using assertValidHeader() and checkIsHttpToken(), consistent with the HTTP/1.1 validation added in nodejs#61897. Previously, hints were forwarded into the headers object without any validation, allowing invalid characters in header names/values to surface as opaque errors deeper in the HTTP/2 stack. Signed-off-by: Matteo Collina <hello@matteocollina.com>
mcollina
force-pushed
the
http-early-hints-validate-headers
branch
from
0ed213a to
ee38509
Compare
May 13, 2026 13:20
pimterry
approved these changes
May 13, 2026
github-actions
Bot
removed
the
request-ci
Add this label to start a Jenkins CI on a PR.
label
May 13, 2026
This comment was marked as outdated.
This comment was marked as outdated.
jasnell
approved these changes
May 14, 2026
This comment was marked as outdated.
This comment was marked as outdated.
Collaborator
Sorry, something went wrong.
Hide details
View details
nodejs-github-bot
merged commit
nodejs-github-bot
merged commit 274d799
into
nodejs:main
May 15, 2026
73 of 74 checks passed
aduh95
pushed a commit
that referenced
this pull request
May 19, 2026
Validate header names and values for non-link hints passed to writeEarlyHints() in the HTTP/2 compat layer using assertValidHeader() and checkIsHttpToken(), consistent with the HTTP/1.1 validation added in #61897. Previously, hints were forwarded into the headers object without any validation, allowing invalid characters in header names/values to surface as opaque errors deeper in the HTTP/2 stack. Signed-off-by: Matteo Collina <hello@matteocollina.com> PR-URL: #62017 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Tim Perry <pimterry@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
aduh95
pushed a commit
that referenced
this pull request
May 23, 2026
Validate header names and values for non-link hints passed to writeEarlyHints() in the HTTP/2 compat layer using assertValidHeader() and checkIsHttpToken(), consistent with the HTTP/1.1 validation added in #61897. Previously, hints were forwarded into the headers object without any validation, allowing invalid characters in header names/values to surface as opaque errors deeper in the HTTP/2 stack. Signed-off-by: Matteo Collina <hello@matteocollina.com> PR-URL: #62017 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Tim Perry <pimterry@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
araujogui
pushed a commit
to araujogui/node
that referenced
this pull request
May 26, 2026
Validate header names and values for non-link hints passed to writeEarlyHints() in the HTTP/2 compat layer using assertValidHeader() and checkIsHttpToken(), consistent with the HTTP/1.1 validation added in nodejs#61897. Previously, hints were forwarded into the headers object without any validation, allowing invalid characters in header names/values to surface as opaque errors deeper in the HTTP/2 stack. Signed-off-by: Matteo Collina <hello@matteocollina.com> PR-URL: nodejs#62017 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Tim Perry <pimterry@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
aduh95
pushed a commit
that referenced
this pull request
Jun 18, 2026
Validate header names and values for non-link hints passed to writeEarlyHints() in the HTTP/2 compat layer using assertValidHeader() and checkIsHttpToken(), consistent with the HTTP/1.1 validation added in #61897. Previously, hints were forwarded into the headers object without any validation, allowing invalid characters in header names/values to surface as opaque errors deeper in the HTTP/2 stack. Signed-off-by: Matteo Collina <hello@matteocollina.com> PR-URL: #62017 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Tim Perry <pimterry@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.
Summary
The HTTP/1.1 portion of the original PR landed separately in #61897. This PR now contains only the HTTP/2 compat layer counterpart.
Http2ServerResponse.prototype.writeEarlyHints()usingassertValidHeader()andcheckIsHttpToken()Test plan
test/parallel/test-http2-compat-write-early-hints-invalid-header.js— verifiesERR_INVALID_HTTP_TOKENfor bad header names andERR_HTTP2_INVALID_HEADER_VALUEfor bad values