Search code examples
c#ashx

c# ASHX addHeader causing error

I'm working on a c# .ashx handler file and having this code:

context.Response.AddHeader("HTTP Header", "200");
context.Response.AddHeader("Content", "OK");

when this page is accessed using http protocol, it works fine but if I use https, it generates error below in chrome://net-internals/#events:

t=10983 [st=37]    HTTP2_SESSION_RECV_INVALID_HEADER
                   --> error = "Invalid character in header name."
                   --> header_name = "http%20header"
                   --> header_value = "200"
t=10983 [st=37]    HTTP2_SESSION_SEND_RST_STREAM
                   --> description = "Could not parse Spdy Control Frame Header."
                   --> error_code = "1 (PROTOCOL_ERROR)"
                   --> stream_id = 1

Is "HTTP Header" a safe header name? I read that "space" shouldn't be a problem in header, what's the actual issue?

So far, above happens in chrome/safari, but works fine in Firefox.

Any kind advise?

Solution

  • Space is not a valid character in a header name. HTTP is defined by RFC 7230.

    The syntax of a header field is defined in section 3.2. Header Fields

       Each header field consists of a case-insensitive field name followed
   by a colon (":"), optional leading whitespace, the field value, and
   optional trailing whitespace.

     header-field   = field-name ":" OWS field-value OWS

     field-name     = token
     field-value    = *( field-content / obs-fold )
     field-content  = field-vchar [ 1*( SP / HTAB ) field-vchar ]
     field-vchar    = VCHAR / obs-text

     obs-fold       = CRLF 1*( SP / HTAB )
                    ; obsolete line folding
                    ; see Section 3.2.4

    So the field name is a token. Tokens are defined in 3.2.6. Field Value Components

       Most HTTP header field values are defined using common syntax
   components (token, quoted-string, and comment) separated by
   whitespace or specific delimiting characters.  Delimiters are chosen
   from the set of US-ASCII visual characters not allowed in a token
   (DQUOTE and "(),/:;?@[\]{}").

     token          = 1*tchar

     tchar          = "!" / "#" / "$" / "%" / "&" / "'" / "*"
                    / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
                    / DIGIT / ALPHA
                    ; any VCHAR, except delimiters

    The last piece is in 1.2. Syntax Notation

       The following core rules are included by reference, as defined in
   [RFC5234], Appendix B.1: ALPHA (letters), CR (carriage return), CRLF
   (CR LF), CTL (controls), DIGIT (decimal 0-9), DQUOTE (double quote),
   HEXDIG (hexadecimal 0-9/A-F/a-f), HTAB (horizontal tab), LF (line
   feed), OCTET (any 8-bit sequence of data), SP (space), and VCHAR (any
   visible [USASCII] character).

    So whitespace is not allowed in the name of a header.