Proxito: escaped HTTP headers and CF worker

[humitos]

I'm open this issue to keep the discussion about where the HTTP header values should be escaped and how. This conversation started in #11100 (review)

There are different approach discussed there:

1. escape HTTP values in the server and in the worker (it requires re-implementing a Python's function into JavaScript)
2. escape HTTP values only in the server and trust them from the worker
3. other alternatives?

The code is currently secure and safe and there is no need to change it. However, this issue will help us to discuss what path to follow.

[stsewd]

We don't need to escape values twice, only in the context where they are used, the 1st option should be to escape the values in the worker only. Escaping the values twice would lead to an incorrect value.

[humitos]

We don't need to escape values twice, only in the context where they are used, the 1st option should be to escape the values in the worker only

I'm more confused now. Why we would like to put an unsafe value over the wire if it has to be escaped to be used securely anyways?

[stsewd]

@humitos the value isn't unsafe by itself, it's only unsafe in the context where it's used, in this case when building the HTML by concatenating the values. If we want to use the value just a string, we want to have the original value as is <value> instead of manipulating it as >value<, or if we were to use that string for other purposes (in the command line, in a request, etc), it should be escaped for that context.

This is similar to why we escape the values from our search API where they are used instead of escaping them from the server.

[humitos]

Gotcha 👍🏼 . I got confused because what you are describing here solves a more broad problem -- it's a "general purpose solution", but we don't have those issues here. We just need a filename here without need to manipulate it or anything similar.

I'm happy to implement the generic approach you are describing once we need it 👍🏼