Discussion: Capitalize the header names of outgoing headers.

[futursolo]

Although, as per RFC 2616, All the HTTP/1.1 headers should be case-insensitive. However, as a general practice, most of the major web servers have their headers capitalized. Also, some broken HTTP/1.1 implementations do not recognize some specific headers(e.g.: Server header for Apache Benchmark) if they are not properly capitalized. It would be better if the header can be capitalized.

Performance Concerns: Compared to str.lower(), str.title() is slower. However, this can be migrated by adding an LRU Cache into the header capitalization process to solve the problem.

[Lukasa]

I strongly recommend making it possible to emit headers with any capitalisation, while making the current behaviour the default.

The reality is that HTTP implementations that require title cased headers are wrong. Their inability to tolerate them, forcing other implementations to psychically tolerate their preferences, is a bad behaviour and should be punished. However, it should clearly be possible to overrule that behaviour if needed to make an application work.

Note that the "capitalise as a matter of course" servers and clients are on the way out. HTTP/2 forcibly lowercases header names, which means a lot of these bad implementations get fixed as they get support for HTTP/2. So this may be a problem that reduces in scope over time.

A final note: RFC 2616 is dead. Long live RFCs 723[0-3]!

[sigmavirus24]

ITYM 723[0-5]

[njsmith]

I doubt there's any real performance difference either way between titlecasing and lowercasing, at least at the individual string level:

~$ pyperf timeit 'b"content-length".lower()'                            
.....................
Median +- std dev: 67.3 ns +- 2.3 ns
~$ pyperf timeit 'b"content-length".title()'
.....................
Median +- std dev: 75.2 ns +- 4.0 ns

The difference here is far smaller than the overhead of any caching scheme we could come up with.

In general I'd strongly prefer not to have a configuration knob here if at all possible, due to the costs to devs and users of maintaining, testing, documenting the thing...

From some research, it looks like title-casing does not solve all these problems. Searching finds a number of examples of implementations that require headers cased like dppPersonUUID, Sec-WebSocket-Key (notice the S in WebSocket), WWW-Authenticate (with Www-Authenticate being rejected), PageSpeed, X-Parse-OS-Version, ...

OTOH, it may solve enough of them that we can "get away with it". This appears to be golang's approach. (I'm not 100% sure that title-casing works better than lowercasing on average, but it seems likely. AFAICT nodejs switched from lowercase to title-casing.)

Some options:

• Do nothing and wait for someone to run into this for real. That list of issues linked above suggests that someone probably will run into it eventually, but like @Lukasa notes, it's possible that in 2017 the issue is not as severe as it used to be and is getting better. Maybe we can get away with it.

• Continue to unconditionally use lower-case internally; switch to unconditionally using title-case when writing out headers to the wire. This is a two-line change, and seems to incur a ~5% slowdown on CPython and ~3% on pypy. (OTOH the header validation stuff incurred a ~20% slowdown and we merged it anyway.) Probably we can get away with it, given golang's example.

• Switch to always using title-case as our canonical casing everywhere, internally and externally. This would be relatively unintrusive in a sense, b/c it keeps the same architecture as now, but it would force library users to adapt to dealing with title-case in our public APIs, which is pretty annoying, esp. for users who want to do both HTTP/1.1 and HTTP/2. I can already see @Lukasa gearing up to write a cranky email about this and he's probably correct :-)

• Canonicalize incoming headers, but don't touch outgoing headers. This is pretty tricky to get right though because there are a number of places where we need to internally examine and manipulate headers on the outgoing path, and all of those would need to re-do the canonicalization by hand (so e.g. right now we have code like for name, value in headers: if name == b"content-length": ..., and it would become for name, value in headers: if name.lower() == b"content-length": ...). So despite what one might expect this would almost certainly be slower than the current design, and with this approach there's a disturbingly high probability of us becoming one of those case-sensitive implementations because we forgot a .lower somewhere. OTOH this does provide the maximally flexible option for interoperability.

[futursolo]

@Lukasa I totally agree with your point of view. I also don't want to be tolerant to these broken implementations. Maybe, as time goes by, these implementations will die out. However, for now, these implementations still have some market share.

@njsmith Tornado has a cache for capitalized headers. I wrote a simple benchmark.

import time                                                                       
import tornado.httputil                                                           
                                                                                  
start_time = time.time()                                                          
for _ in range(0, 100000):                                                        
    "content-length".title()                                                      
                                                                                  
print("{:.5f}".format(time.time() - start_time))                                  
                                                                                  
normalized_headers = tornado.httputil._normalized_headers                         
                                                                                  
start_time = time.time()                                                          
                                                                                  
for _ in range(0, 100000):  # Thanks to @njsmith for stating out this error.
    normalized_headers["content-length"]                                          
                                                                                  
print("{:.5f}".format(time.time() - start_time))

When running the code above, my computer outputs 0.34973 and 0.00081.

I also suggest to keep using lowercase internally in favour of HTTP/2, however, add a mechanism at the output to justify the header names.

[futursolo]

Also for the special cases of capitalization in http headers(e.g.:ETag), I suggest to include a predefined, capitalized mapping for common http/1.1 headers for both performance purposes and solving these edge cases.

[njsmith]

Your benchmark has a typo -- you're only running the tornado test 2 times, instead of 100,000 times. After fixing that I get 0.02480 and 0.03074. I'm a bit confused at how your system is apparently >10x slower than my 2 year old laptop, but the relative speeds make more sense this way :-)

[futursolo]

@njsmith sorry, that's my fault. After fixing this problem, the result comes to 0.02667 and 0.01709.

In addition, the slowness comes from the console output, cause I first ran it in the Python interactive command line without suppressing the output(HOW LAZY I AM!). The result above is run after I fix this two problems.

However, my results contradicts yours. After I ran it for multiple times, I still cannot get your results.

My platform: CPython 3.6.0 on macOS 10.12.

[njsmith]

My numbers on your benchmark must have been a one-off glitch -- running it again now I get numbers more similar to yours.

However, the reason I didn't try repeatedly is that I'm still right ;-). Which is to say, it made sense to me, because the numbers matched what I was getting with timeit (which generally gives more meaningful results anyway). It turns out the reason is that I was checking bytes.title, while your benchmark uses str.title. bytes.title is more relevant here, and it's ~3x faster than str.title:

~$ pyperf timeit '"content-length".title()'
.....................
Median +- std dev: 223 ns +- 14 ns
~$ pyperf timeit 'b"content-length".title()'
.....................
Median +- std dev: 75.6 ns +- 1.5 ns

It's hard to compare against tornado.httputil directly, because they require str as input. For a simple dict lookup in a single-element dict, I get ~50 ns, regardless of whether the key is bytes or str, and for _normalized_headers I get ~125 ns. (AFAICT _normalized_headers should be just as fast as a dict... not sure where the discrepancy comes from!)

[njsmith]

@futursolo: also just to be clear... is this something you're actually running into now, or more of a theoretical concern?

[futursolo]

Actually, I am writing a toy server using h11 and asyncio.

Just curious about the design of the implementation, no offence.

[njsmith]

No offense taken! Just trying to figure out how urgent this is :-)

[Lukasa]

So, here's an alternative for you @njsmith: write a data structure that is basically a tuple, but allows you to access headers either case sensitively or case insensitively (where case insensitively is the default and is based on a call to .lower()).

The goal here is to allow all of h11's internals to continue to operate with confidence knowing that they'll see headers regardless of their case, but it also allows h11 to preserve any case that is provided to it for the sake of users who want that information.

Requests does a similar thing with its CaseInsensitiveDict, which is indexed by lowercased header names but has values that are a tuple of (original_name_case, value). That allows it to preserve header case when exposing to users, while nonetheless allowing for case-insensitive indexing. A similar thing could be done with a tuple-ish data structure if you were so inclined.

[njsmith]

Here's a really simple (maybe too simple) idea to throw into the mix: use tuples of (header, header_with_original_casing, value)

[mhils]

We are looking at implementing @mitmproxy's proxy core using sans-io and h11 would be a natural fit for that. I did some prototyping to test how h11 would work with our planned architecture. I'm really happy with how that turned out, yet header normalization/capitalization would definitely be blocker for us: for forensic reasons, we need to replay every non-malformed request as closely as possible to the upstream server.

It would be fantastic if h11 could end up with an implementation that follows @Lukasa's last proposal or @njsmith's (header, header_with_original_casing, value) idea. I do like the latter for being fairly low-level. FWIW, we would convert headers into mitmproxy's Header class anyway to have parity with h2.