1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
|
# Releases
## v0.55.0
- **Breaking**: Move `Protocol::HTTP::Header::QuotedString` to `Protocol::HTTP::QuotedString` for better reusability.
- **Breaking**: Handle cookie key/value pairs using `QuotedString` as per RFC 6265.
- Don't use URL encoding for cookie key/value.
- **Breaking**: Remove `Protocol::HTTP::URL` and `Protocol::HTTP::Reference` – replaced by `Protocol::URL` gem.
- `Protocol::HTTP::URL` -\> `Protocol::URL::Encoding`.
- `Protocol::HTTP::Reference` -\> `Protocol::URL::Reference`.
## v0.54.0
- Introduce rich support for `Header::Digest`, `Header::ServerTiming`, `Header::TE`, `Header::Trailer` and `Header::TransferEncoding`.
### Improved HTTP Trailer Security
This release introduces significant security improvements for HTTP trailer handling, addressing potential HTTP request smuggling vulnerabilities by implementing a restrictive-by-default policy for trailer headers.
- **Security-by-default**: HTTP trailers are now validated and restricted by default to prevent HTTP request smuggling attacks.
- Only safe headers are permitted in trailers:
- `date` - Response generation timestamps (safe metadata)
- `digest` - Content integrity verification (safe metadata)
- `etag` - Cache validation tags (safe metadata)
- `server-timing` - Performance metrics (safe metadata)
- All other trailers are ignored by default.
If you are using this library for gRPC, you will need to use a custom policy to allow the `grpc-status` and `grpc-message` trailers:
``` ruby
module GRPCStatus
def self.new(value)
Integer(value)
end
def self.trailer?
true
end
end
module GRPCMessage
def self.new(value)
value
end
def self.trailer?
true
end
end
GRPC_POLICY = Protocol::HTTP::Headers::POLICY.dup
GRPC_POLICY['grpc-status'] = GRPCStatus
GRPC_POLICY['grpc-message'] = GRPCMessage
# Reinterpret the headers using the new policy:
response.headers.policy = GRPC_POLICY
response.headers['grpc-status'] # => 0
response.headers['grpc-message'] # => "OK"
```
## v0.53.0
- Improve consistency of Body `#inspect`.
- Improve `as_json` support for Body wrappers.
## v0.52.0
- Add `Protocol::HTTP::Headers#to_a` method that returns the fields array, providing compatibility with standard Ruby array conversion pattern.
- Expose `tail` in `Headers.new` so that trailers can be accurately reproduced.
- Add agent context.
## v0.51.0
- `Protocol::HTTP::Headers` now raise a `DuplicateHeaderError` when a duplicate singleton header (e.g. `content-length`) is added.
- `Protocol::HTTP::Headers#add` now coerces the value to a string when adding a header, ensuring consistent behaviour.
- `Protocol::HTTP::Body::Head.for` now accepts an optional `length` parameter, allowing it to create a head body even when the body is not provided, based on the known content length.
## v0.50.0
- Drop support for Ruby v3.1.
## v0.48.0
- Add support for parsing `accept`, `accept-charset`, `accept-encoding` and `accept-language` headers into structured values.
## v0.46.0
- Add support for `priority:` header.
## v0.33.0
- Clarify behaviour of streaming bodies and copy `Protocol::Rack::Body::Streaming` to `Protocol::HTTP::Body::Streamable`.
- Copy `Async::HTTP::Body::Writable` to `Protocol::HTTP::Body::Writable`.
## v0.31.0
- Ensure chunks are flushed if required, when streaming.
## v0.30.0
### `Request[]` and `Response[]` Keyword Arguments
The `Request[]` and `Response[]` methods now support keyword arguments as a convenient way to set various positional arguments.
``` ruby
# Request keyword arguments:
client.get("/", headers: {"accept" => "text/html"}, authority: "example.com")
# Response keyword arguments:
def call(request)
return Response[200, headers: {"content-Type" => "text/html"}, body: "Hello, World!"]
```
### Interim Response Handling
The `Request` class now exposes a `#interim_response` attribute which can be used to handle interim responses both on the client side and server side.
On the client side, you can pass a callback using the `interim_response` keyword argument which will be invoked whenever an interim response is received:
``` ruby
client = ...
response = client.get("/index", interim_response: proc{|status, headers| ...})
```
On the server side, you can send an interim response using the `#send_interim_response` method:
``` ruby
def call(request)
if request.headers["expect"] == "100-continue"
# Send an interim response:
request.send_interim_response(100)
end
# ...
end
```
## v0.29.0
- Introduce `rewind` and `rewindable?` methods for body rewinding capabilities.
- Add support for output buffer in `read_partial`/`readpartial` methods.
- `Reader#buffered!` now returns `self` for method chaining.
## v0.28.0
- Add convenient `Reader#buffered!` method to buffer the body.
- Modernize gem infrastructure with RuboCop integration.
## v0.27.0
- Expand stream interface to support `gets`/`puts` operations.
- Skip empty key/value pairs in header processing.
- Prefer lowercase method names for consistency.
- Add `as_json` support to avoid default Rails implementation.
- Use `@callback` to track invocation state.
- Drop `base64` gem dependency.
## v0.26.0
- Prefer connection `close` over `keep-alive` when both are present.
- Add support for `#readpartial` method.
- Add `base64` dependency.
## v0.25.0
- Introduce explicit support for informational responses (1xx status codes).
- Add `cache-control` support for `must-revalidate`, `proxy-revalidate`, and `s-maxage` directives.
- Add `#strong_match?` and `#weak_match?` methods to `ETags` header.
- Fix `last-modified`, `if-modified-since` and `if-unmodified-since` headers to use proper `Date` parsing.
- Improve date/expires header parsing.
- Add tests for `Stream#close_read`.
- Check if input is closed before raising `IOError`.
- Ensure saved files truncate existing file by default.
## v0.24.0
- Add output stream `#<<` as alias for `#write`.
- Add support for `Headers#include?` and `#key?` methods.
- Fix URL unescape functionality.
- Fix cookie parsing issues.
- Fix superclass mismatch in `Protocol::HTTP::Middleware::Builder`.
- Allow trailers without explicit `trailer` header.
- Fix cookie handling and Ruby 2 keyword arguments.
## v0.23.0
- Improve argument handling.
- Rename `path` parameter to `target` to better match RFCs.
## v0.22.0
- Rename `trailers` to `trailer` for consistency.
## v0.21.0
- Streaming interface improvements.
- Rename `Streamable` to `Completable`.
## v0.20.0
- Improve `Authorization` header implementation.
## v0.19.0
- Expose `Body#ready?` for more efficient response handling.
## v0.18.0
- Add `#trailers` method which enumerates trailers without marking tail.
- Don't clear trailers in `#dup`, move functionality to `flatten!`.
- All requests and responses must have mutable headers instance.
## v0.17.0
- Remove deferred headers due to complexity.
- Remove deprecated `Headers#slice!`.
- Add support for static, dynamic and streaming content to `cache-control` model.
- Initial support for trailers.
- Add support for `Response#not_modified?`.
## v0.16.0
- Add support for `if-match` and `if-none-match` headers.
- Revert `Request#target` change for HTTP/2 compatibility.
## v0.15.0
- Prefer `Request#target` over `Request#path`.
- Add body implementation to support HEAD requests.
- Add support for computing digest on buffered body.
- Add `Headers#set(key, value)` to replace existing values.
- Add support for `vary` header.
- Add support for `no-cache` & `no-store` cache directives.
## v0.14.0
- Add `Cacheable` body for buffering and caching responses.
- Add support for `cache-control` header.
## v0.13.0
- Add support for `connection` header.
- Fix handling of keyword arguments.
## v0.12.0
- Improved handling of `cookie` header.
- Add `Headers#clear` method.
## v0.11.0
- Ensure `Body#call` invokes `stream.close` when done.
## v0.10.0
- Allow user to specify size for character devices.
## v0.9.1
- Add support for `authorization` header.
## v0.8.0
- Remove `reason` from `Response`.
## v0.7.0
- Explicit path handling in `Reference#with`.
## v0.6.0
- Initial version with basic HTTP protocol support.
## v0.5.1
- Fix path splitting behavior when path is empty.
- Add `connect` method.
- Support protocol in `[]` constructor.
- Incorporate middleware functionality.
## v0.4.0
- Add `Request`, `Response` and `Body` classes from `async-http`.
- Allow deletion of non-existent header fields.
## v0.3.0
- **Initial release** of `protocol-http` gem.
- Initial implementation of HTTP/2 flow control.
- Support for connection preface and settings frames.
- Initial headers support.
- Implementation of `Connection`, `Client` & `Server` classes.
- HTTP/2 protocol framing and headers.
|
