Anomie edited projects, added Traffic, Core Platform Team Workboards (Clinic Duty Team); removed MediaWiki-API, Core Platform Team, Wikidata. Anomie added a comment. Restricted Application added a project: Operations.
There was no change to MediaWiki with respect to output of Set-Cookie headers. For that matter, MediaWiki does not directly output the Set-Cookie headers at all, it simply calls PHP's setcookie <https://www.php.net/setcookie> function and PHP handles the output. Further, the headers output from PHP itself are in fact using the "Set-Cookie" casing: anomie@mwdebug1002:~$ curl -v -H 'Host: it.wikipedia.org' "http://$(hostname -i)/w/api.php?action=query&meta=tokens&type=login&format=json"; echo * Trying 10.64.0.46... * TCP_NODELAY set * Connected to 10.64.0.46 (10.64.0.46) port 80 (#0) > GET /w/api.php?action=query&meta=tokens&type=login&format=json HTTP/1.1 > Host: it.wikipedia.org > User-Agent: curl/7.52.1 > Accept: */* > < HTTP/1.1 200 OK < Date: Wed, 08 Apr 2020 13:03:42 GMT < Server: mwdebug1002.eqiad.wmnet < X-Powered-By: PHP/7.2.26-1+0~20191218.33+debian9~1.gbpb5a340+wmf1 < X-Content-Type-Options: nosniff < P3P: CP="See https://it.wikipedia.org/wiki/Special:CentralAutoLogin/P3P for more info." < X-Analytics: ns=-1;special=Badtitle < X-Frame-Options: DENY < Content-Disposition: inline; filename=api-result.json < Cache-Control: private, must-revalidate, max-age=0 < Vary: Accept-Encoding < Set-Cookie: itwikiSession=REDACTED; path=/; HttpOnly < Set-Cookie: forceHTTPS=true; path=/; HttpOnly < Backend-Timing: D=122696 t=1586351022770756 < Transfer-Encoding: chunked < Content-Type: application/json; charset=utf-8 But as noted, the request hitting the public IP rather than the internal appserver do return the headers in lowercase anomie@mwdebug1002:~$ curl --http1.1 -v "https://it.wikipedia.org/w/api.php?action=query&meta=tokens&type=login&format=json"; echo * Trying 2620:0:861:ed1a::1... * TCP_NODELAY set * Connected to it.wikipedia.org (2620:0:861:ed1a::1) port 443 (#0) [... bunch of TLS debugging info ...] * SSL certificate verify ok. > GET /w/api.php?action=query&meta=tokens&type=login&format=json HTTP/1.1 > Host: it.wikipedia.org > User-Agent: curl/7.52.1 > Accept: */* > X-Wikimedia-Debug: backend=mwdebug1002.eqiad.wmnet > < HTTP/1.1 200 OK < date: Wed, 08 Apr 2020 13:13:43 GMT < server: mwdebug1002.eqiad.wmnet < x-powered-by: PHP/7.2.26-1+0~20191218.33+debian9~1.gbpb5a340+wmf1 < x-content-type-options: nosniff < p3p: CP="See https://it.wikipedia.org/wiki/Special:CentralAutoLogin/P3P for more info." < x-frame-options: DENY < content-disposition: inline; filename=api-result.json < cache-control: private, must-revalidate, max-age=0 < vary: Accept-Encoding < set-cookie: itwikiSession=REDACTED; path=/; secure; HttpOnly < set-cookie: forceHTTPS=true; path=/; HttpOnly < backend-timing: D=74049 t=1586351623859249 < content-type: application/json; charset=utf-8 < x-envoy-upstream-service-time: 74 < X-ATS-Timestamp: 1586351623 < X-Varnish: 497730494 < Age: 0 < X-Cache: cp1081 pass, cp1079 pass < X-Cache-Status: pass < Server-Timing: cache;desc="pass" < Strict-Transport-Security: max-age=106384710; includeSubDomains; preload < Set-Cookie: WMF-Last-Access=08-Apr-2020;Path=/;HttpOnly;secure;Expires=Sun, 10 May 2020 12:00:00 GMT < Set-Cookie: WMF-Last-Access-Global=08-Apr-2020;Path=/;Domain=.wikipedia.org;HttpOnly;secure;Expires=Sun, 10 May 2020 12:00:00 GMT < X-Client-IP: 2620:0:861:101:10:64:0:46 < Set-Cookie: GeoIP=US:::37.75:-97.82:v4; Path=/; secure; Domain=.wikipedia.org < Accept-Ranges: bytes < Content-Length: 100 < Connection: keep-alive On that basis, I'm going to poke this to #Traffic <https://phabricator.wikimedia.org/tag/traffic/>. My vaguely-informed guess would be that something has recently started to use HTTP/2 in communication between the front and back ends, and HTTP/2 of course requires header field names be transmitted in lowercase (RFC 7540 ยง 8.1.2 <https://tools.ietf.org/html/rfc7540#section-8.1.2>). But as you noted, there's nothing actually //wrong// with the response. According to both RFC 2616 <https://tools.ietf.org/html/rfc2616#section-4.2> (HTTP/1.1, June 1999) and RFC 1945 <https://tools.ietf.org/html/rfc1945#section-4.2> (HTTP/1.0, May 1996), header field names are case insensitive. I'll leave it to them to decide whether to close this as Invalid on that basis, or to try to munge things to output "Set-Cookie" instead of "set-cookie". TASK DETAIL https://phabricator.wikimedia.org/T249680 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Anomie Cc: Anomie, Afkbrb, Pintoch, Aklapper, eprodromou, Legado_Shulgin, Davinaclare77, Qtn1293, Techguru.pc, Th3d3v1ls, Hfbn0, Zppix, Agabi10, Pchelolo, Wong128hk, faidon, Nikerabbit, Rxy, Jay8g, fgiunchedi, darthmon_wmde, WDoranWMF, holger.knust, EvanProdromou, DannyS712, Nandana, Amorymeltzer, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, Sethakill, dg711, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, jayvdb, Mbch331, Legoktm
_______________________________________________ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs