doc: document fetch() differences from the Fetch Standard#62236
doc: document fetch() differences from the Fetch Standard#62236kovan wants to merge 2 commits intonodejs:mainfrom
Conversation
Add a 'Differences from the standard' section to the fetch documentation listing the ways Node.js fetch (via undici) differs from browser implementations: no CORS enforcement, no forbidden headers, async iterable support in Response, response body consumption requirements, Content-Encoding layer limits, and manual redirect behavior. Fixes nodejs#52163
doc/api/globals.md
Outdated
| not have an origin. All cross-origin requests are allowed by default. | ||
| * **No forbidden headers.** The [Fetch Standard][] forbids setting | ||
| certain headers (such as `Cookie`, `Host`, and `Origin`) in browser | ||
| contexts. Node.js removes these restrictions, allowing full control |
There was a problem hiding this comment.
I don't think this is true? Not for Host anyway. nodejs/undici#2369
There was a problem hiding this comment.
Good catch, thanks. Host is unconditionally deleted by undici before dispatch (httpNetworkOrCacheFetch sets it from the URL). Updated the section to say "Fewer forbidden headers" and note the Host restriction specifically.
There was a problem hiding this comment.
That's accurate but your commit message is wrong. The fix for the referenced CVE was about the host/cookie headers incorrectly carrying through redirects. The change to forbid setting Host on initial requests happened in nodejs/undici#2322 and was unrelated.
Incidentally, if you're using LLMs for any part of this, it's polite to disclose that.
There was a problem hiding this comment.
You're right, thanks for the correction. The CVE was about headers leaking through cross-origin redirects, not about the initial request restriction. Updated the commit message to reference undici#2322 instead.
Re LLMs: yes, I use Claude Code as part of my workflow. Happy to add a note if there's a preferred format.
There was a problem hiding this comment.
The usual thing is to add a line in the PR description describing what parts (of the code and also your comments) were done by the LLM vs you, and whether the correctness of the parts the LLM did is something you've reviewed and are qualified to review.
There was a problem hiding this comment.
Updated the PR description with an AI disclosure section.
Host is restricted in Node.js fetch because undici disallows setting it to align with Cloudflare Workers and Deno behavior (undici#2322). Change "No forbidden headers" to "Fewer forbidden headers" and note the Host restriction.
kovan
force-pushed
the
doc/fetch-differences
branch
from
cce0504 to
bc825f9
Compare
4 participants
Summary
Add a "Differences from the standard" section to the
fetchdocumentationin
globals.md, covering:Hoststill restricted)Responseaccepts async iterables (Node.js extension)Content-Encodinglayer limit of 5opaqueredirectBased on the differences documented in undici's README
and the original issue description from @mcollina.
Fixes #52163
AI disclosure
This PR was authored with Claude Code. I reviewed and verified all
content against the undici source code and Fetch Standard specification.
The Host header correction (switching from "No forbidden headers" to
"Fewer forbidden headers") was prompted by @bakkot's review and verified
against undici#2322.