Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should we skip the User-Agent header? #1208

Open
FantasticFiasco opened this issue Dec 2, 2024 · 5 comments · May be fixed by #1231
Open

Should we skip the User-Agent header? #1208

FantasticFiasco opened this issue Dec 2, 2024 · 5 comments · May be fixed by #1231
Assignees
@FantasticFiasco
Labels
bug Something isn't working

Comments

@FantasticFiasco
Copy link
Owner

FantasticFiasco commented Dec 2, 2024
edited
Loading

Describe the bug

As described a review remark of #1207, let's analyze if we should skip the User-Agent header instead having special support for it in the codebase (#1155).
@FantasticFiasco FantasticFiasco added the bug Something isn't working label Dec 2, 2024
@FantasticFiasco FantasticFiasco self-assigned this Dec 2, 2024
@FantasticFiasco FantasticFiasco mentioned this issue Dec 2, 2024
Merged
5 tasks
@mungojam
Copy link
Contributor

mungojam commented Dec 2, 2024

I wouldn't call it a workaround, it was changing it to implement the user agent spec. But if it can be skipped altogether in the signature then that's a good result

@FantasticFiasco
Copy link
Owner Author

You are correct, my intention was not to downplay this contribution. Bad wording on my part, I'll update my text.

@FantasticFiasco
Copy link
Owner Author

As it currently is worded, do you think it makes more sense, or can it be improved?

@mungojam
Copy link
Contributor

mungojam commented Dec 3, 2024

As it currently is worded, do you think it makes more sense, or can it be improved?

It's all good now thanks 🙂

@cfbao
Copy link
Contributor

cfbao commented Dec 23, 2024

I found one case where it makes sense to skip the user-agent header:
If a user of this library adds an empty string as the user-agent header (not implausible in a proxy server implementation that calls TryAddWithoutValidation on almost all headers), and sends the signed request to API Gateway, AWS will change the user-agent header to "Amazon CloudFront", and then the signature will be invalid.

@cfbao cfbao linked a pull request Dec 25, 2024 that will close this issue
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@FantasticFiasco FantasticFiasco

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

add more unsignable headers cfbao/aws-signature-version-4
3 participants
@mungojam @FantasticFiasco @cfbao