feat(esm): expose User-Agent header#43852
Conversation
nodejs-github-bot commented Jul 15, 2022
Review requested:
|
nodejs-github-bot added esm 
bmeck commented Jul 15, 2022 via email
I'm extremely wary of this being used as a security related issue. I would be more comfortable if this can be disabled or custom configured. …On Fri, Jul 15, 2022, 1:31 PM Node.js GitHub Bot ***@***.***> wrote: Review requested: - @nodejs/modules <https://github.com/orgs/nodejs/teams/modules> — Reply to this email directly, view it on GitHub <#43852 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AABZJI4X6SL2KPYWLL3DEUTVUGVB5ANCNFSM53WM77PQ> . You are receiving this because you are on a team that was mentioned.Message ID: ***@***.***> |
guybedford commented Jul 15, 2022
Perhaps this default with an environment variable to customize makes sense. Definitely seems a useful feature. |
aduh95 added the semver-minor 
ErickWendel commented Aug 8, 2022
hey, @Fyko would you mind adding tests for this feature? |
I would love to! Except... I'm not quite sure how. Could you point me in the right direction? @ErickWendel Edit: did some searching, this looks relevant c0f4289c65 |
ErickWendel commented Aug 8, 2022
Sure. I think it'd be easier if you go to this file node/test/parallel/test-fetch.mjs Line 32 in 3fcf2fe assert.strictEqual(response.headers["User-Agent"],`Node.js/${process.version}`);WDYT? |
Not quite sure if that would work considering the UA logic was added to fetch_module.js. I found the file https://github.com/nodejs/node/blob/main/test/es-module/test-http-imports.mjs and considered adding: if(_req.getHeaders()['user-agent']!==`Node.js/${process.version}`){res.writeHead(400);res.end('bad user-agent');return;}right after the createServer call node/test/es-module/test-http-imports.mjs Line 68 in 472edc7 |
I suggested going to the As your change will affect The file you mentioned has another goal. There you'd test the behavior when importing a module from an URL such as
Even though the logic was added to fetch_module, the WDYT? |
It seems the test you made is returning undefined. Was it working on your local environment? Lmk if you need something 🤩 |
ErickWendel commented Aug 23, 2022
Hey @Fyko do you need any help on this? |
Fyko commented Aug 25, 2022
I'll get around to this tomorrow. Sorry for the delay! |
| agent: HTTPSAgent, | ||
| headers: { | ||
| 'User-Agent': `Node.js/${process.version}`, | ||
| }, |
There was a problem hiding this comment.
I'm -1 on always setting this. It should be optional and default turned off.
There was a problem hiding this comment.
How do other server-side runtimes behave?
There was a problem hiding this comment.
My inspiration for this was how Deno sets the User-Agent header when getting packages. I don't quite understand why so many people are against this -- many very popular packages and utilities do this. Curl sets a header. So does node-fetch. List goes on. And it's completely nonsensical to use some type of env var to set the header.
There was a problem hiding this comment.
“many people do x” isn’t ever a justification; many people do many ill-advised things.
The advantages i can see of setting it by default is easier debugging on the other end - the disadvantages i see is that a server could identify, track, and treat differently a request coming from node vs from other sources.
There was a problem hiding this comment.
Deno sets the User-Agent header when getting packages. I don’t quite understand why so many people are against this – many very popular packages and utilities do this. Curl sets a header. So does node-fetch.
If most non-browser clients set a User-Agent header, then it’s a de facto standard and we should do the same. It doesn’t matter if some of us disagree with the wisdom of the practice; the point of adding APIs like fetch is to be more standards-compliant and similar to other clients. If users want network requests without User-Agent, they can just override the default or use some other API.
There was a problem hiding this comment.
Understanding the concerns about default behavior is essential. While many popular utilities set the User-Agent header by default, there are legitimate concerns regarding potential server-side differentiation based on this header. However, aligning with common practices across other clients could indeed enhance standards compliance.
Perhaps we can consider an optional flag for users to toggle the inclusion of the User-Agent header, offering both flexibility and adherence to commonly accepted practices. This could cater to different user preferences without compromising on standards.
There was a problem hiding this comment.
Please god not yet another flag. But yes some way to customize this behavior would be good.
this pr has my attention again, and im adamant about getting this done. if not a default User-Agent, what would you suggest? env var? what would you name it? |
GeoffreyBooth commented Sep 15, 2022
I think we should set it by default, and users could override it on a per- fetch(url,{headers: {'User-Agent': 'whatever'}})If we need a global override, that could happen later. |
Fyko commented Sep 15, 2022
i think you're misunderstanding. |
GeoffreyBooth commented Sep 15, 2022
You mean |
Fyko commented Sep 15, 2022
Got it, just making sure we're on the same page. I'm not exactly sure what to do here -- I've got conflicting opinions from different members. I'm going to fix my tests so CI passes and we'll see what happens! 🤗 |
#43851 doesn’t mention this applying to only Also, please always rebase on |
The issue was that on L133, the headers object being passed through was overwriting the user-agent header. I've reformatted the `opts` spread so the only way to over-write the header is to explicitily define it
renhiyama commented Jan 7, 2024
Any updates on this? |
11 participants
Closes#43851