Skip to content

http: add CONNECT method handling for default Host header when using proxy#64114

Open
Archkon wants to merge 2 commits into
nodejs:mainfrom
Archkon:main
Open

http: add CONNECT method handling for default Host header when using proxy#64114
Archkon wants to merge 2 commits into
nodejs:mainfrom
Archkon:main

Conversation

@Archkon

@Archkon Archkon commented Jun 24, 2026

Copy link
Copy Markdown

Fixes: #63945

@nodejs-github-bot

Copy link
Copy Markdown
Collaborator

Review requested:

  • @nodejs/http
  • @nodejs/net

@nodejs-github-bot nodejs-github-bot added http Issues or PRs related to the http subsystem. needs-ci PRs that need a full CI run. labels Jun 24, 2026
@pimterry

Copy link
Copy Markdown
Member

Hi @Archkon! Thanks for this PR. It looks like there's a failing test (which pins the previous incorrect output) and the commit message is failing the linting. You'll need to fix the test, and update the commit message (git commit -s --amend) to fix the issues, and then force push to update this.

Otherwise the code looks good to me. My main concern is whether this is a breaking change: I agree the current behaviour is wrong, but it I'm not sure if changing it is likely to cause issues elsewhere in code that now expects this wrong Host value (even if the RFCs says they shouldn't) e.g. our own test suite.

What do @nodejs/http think? AFAICT the current behaviour has been in place for more than a decade. Tempted to lean semver-major just in case, even though it's fundamentally really a bug fix.

@Archkon

Archkon commented Jun 26, 2026

Copy link
Copy Markdown
Author

Hi @Archkon! Thanks for this PR. It looks like there's a failing test (which pins the previous incorrect output) and the commit message is failing the linting. You'll need to fix the test, and update the commit message (git commit -s --amend) to fix the issues, and then force push to update this.

Otherwise the code looks good to me. My main concern is whether this is a breaking change: I agree the current behaviour is wrong, but it I'm not sure if changing it is likely to cause issues elsewhere in code that now expects this wrong Host value (even if the RFCs says they shouldn't) e.g. our own test suite.

What do @nodejs/http think? AFAICT the current behaviour has been in place for more than a decade. Tempted to lean semver-major just in case, even though it's fundamentally really a bug fix.

I just feel that many framework developers aren’t aware of this underlying bug, because they assume CONNECT method will ensure RFC-compliant handling.

@mcollina mcollina added the baking-for-lts PRs that need to wait before landing in a LTS release. label Jul 1, 2026
@mcollina

mcollina commented Jul 1, 2026

Copy link
Copy Markdown
Member

@pimterry we use the "baking for lts" label and ship, that allows us to asses ecosystem impact.

@mcollina mcollina left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@mcollina mcollina added the request-ci Add this label to start a Jenkins CI on a PR. label Jul 1, 2026
@github-actions github-actions Bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Jul 1, 2026
@nodejs-github-bot

Copy link
Copy Markdown
Collaborator

Archkon added 2 commits July 1, 2026 20:15
Signed-off-by: Archkon <180910180+Archkon@users.noreply.github.com>
Signed-off-by: Archkon <180910180+Archkon@users.noreply.github.com>
@Archkon

Archkon commented Jul 1, 2026

Copy link
Copy Markdown
Author

lgtm

Rebased this PR on the latest nodejs:main and resolved the conflict with #64108
@mcollina Could you please trigger a fresh CI run by applying request-ci? Thanks !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

baking-for-lts PRs that need to wait before landing in a LTS release. http Issues or PRs related to the http subsystem. needs-ci PRs that need a full CI run.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

http.request sends incorrect Host header for CONNECT requests (RFC 7230 and 9110 violation)

5 participants