[Web-SIG] HTTP_CONTENT_TYPE and HTTP_CONTENT_LENGTH

[Ian Bicking]

Manlio Perillo wrote:
> Ian Bicking ha scritto:
>> Manlio Perillo wrote:
>>> Hi.
>>>
>>> The CGI spec says:
>>> """Servers are not required to create metavariables for all the 
>>> request header fields that they receive. In particular, they MAY 
>>> decline to make available any header fields carrying authentication 
>>> information, such as "Authorization", or which are available to the 
>>> script via other metavariables, such as "Content-Length" and 
>>> "Content-Type"."""
>>>
>>>
>>> However wsgiref.validate raises an exception:
>>> AssertionError: Environment should not have the key: 
>>> HTTP_CONTENT_TYPE (use CONTENT_TYPE instead)
>>>
>>>
>>> Why don't just raise a warning?
>>
>> It's the sign of some ambiguity; the Content-Type header should be 
>> CONTENT_TYPE, and Content-Length should be CONTENT_LENGTH.  If they 
>> show up as HTTP_CONTENT_TYPE etc then something weird happened; 
>> probably code that didn't take these special-case headers into account.
>>
> 
> Well, its nothing weird.
> 
> The gateway is not required to remove HTTP_CONTENT_TYPE and 
> HTTP_CONTENT_LENGTH;
> at least this is what CGI says (and WSGI says nothing about this).
> 
> In fact in mod_wsgi for Nginx I don't remove these two variables, since 
> it requires extra code (but I will remove them, if there is a good 
> reason for doing so).

I never really read through the spec for this, but by convention all 
servers I know of do remove these.  Having the same header show up in 
multiple places seems dangerous (where the two values may not match, 
especially if the request has one of those keys rewritten).  And of 
course it's not much code to remove them.  There's some things that 
technically are okay with WSGI, but in practice are bad (like leaving 
out QUERY_STRING, which can cause very weird bugs due to how the cgi 
module was written).

-- 
Ian Bicking : ianb at colorstudy.com : http://blog.ianbicking.org