Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Tokenize Connection header in WebSocket client handshake#12746

Merged
Dreamsorcerer merged 11 commits into
aio-libs:masterfrom
rodrigobnogueira:fix/ws-connection-token-check
Jun 9, 2026
Merged

Tokenize Connection header in WebSocket client handshake#12746
Dreamsorcerer merged 11 commits into
aio-libs:masterfrom
rodrigobnogueira:fix/ws-connection-token-check

Conversation

@rodrigobnogueira

@rodrigobnogueira rodrigobnogueira commented May 31, 2026
edited
Loading

Copy link
Copy Markdown
Member

What do these changes do?

Fix the WebSocket client handshake's response Connection header check, which
was a strict resp.headers.get(hdrs.CONNECTION, "").lower() != "upgrade" and
therefore rejected spec-compliant responses such as
Connection: upgrade, keep-alive (RFC 9110 §7.6.1 allows Connection to be
a comma-separated token list).

Rather than re-tokenise in client.py, this PR uses the same trick #12723
applied on the server side: the HTTP parser already tokenises Connection
and records the upgrade token in message.upgrade. ClientResponse.start
now copies that flag to a new _upgraded attribute, and _ws_connect reads
it directly:

if not resp._upgraded:
    raise WSServerHandshakeError(..., message="Invalid connection header", ...)

Are there changes in behavior for the user?

Yes, in the permissive direction only. aiohttp.ClientSession.ws_connect now
accepts successful WebSocket handshakes whose response Connection header
lists upgrade alongside other tokens (e.g. upgrade, keep-alive).
Previously such responses raised WSServerHandshakeError("Invalid connection header").

Is it a substantial burden for the maintainers to support this?

No. The behaviour now flows through the single, already-tested parser path
(HttpParser.parse_headersmessage.upgradeClientResponse._upgraded);
the WebSocket handshake just reads the flag.

Related issue number

Companion to #12723 (server side). Worth adding the backport-3.14 label at
merge so 3.14 doesn't ship with asymmetric behaviour (server accepts
Connection: upgrade, keep-alive after #12724, client still rejects it).

Checklist

  • I think the code is well written
  • Unit tests for the changes exist (parser, ClientResponse.start, and the WS handshake gate)
  • Documentation reflects the changes — N/A (no public API change)
  • If you provide code modification, please add yourself to CONTRIBUTORS.txt — already listed
  • Add a new news fragment into the CHANGES/ folder

@rodrigobnogueira
Tokenize Connection header in WebSocket client handshake
11c9051 
The client previously required the response Connection header to equal
"upgrade" exactly, rejecting spec-compliant servers that send a
comma-separated list such as "upgrade, keep-alive". Split on commas
and compare tokens so the response is interpreted per RFC 9110 §7.6.1.

This mirrors the tokenization the server-side handshake now relies on
(via the HTTP parser in aio-libs#12727), and a regression test confirms
substring matches like "keep-alive, notupgrade" are not accepted as
the upgrade token.
@rodrigobnogueira
Rename CHANGES fragment to PR number
474dad8
@psf-chronographer psf-chronographer Bot added the bot:chronographer:provided There is a change note present in this PR label May 31, 2026
@codecov

codecov Bot commented May 31, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.95%. Comparing base (e8832ae) to head (defc2a7).
⚠️ Report is 291 commits behind head on master.
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #12746      +/-   ##
==========================================
+ Coverage   98.92%   98.95%   +0.03%     
==========================================
  Files         131      131              
  Lines       46881    47824     +943     
  Branches     2431     2480      +49     
==========================================
+ Hits        46376    47324     +948     
+ Misses        379      376       -3     
+ Partials      126      124       -2
Flag Coverage Δ
Autobahn 22.28% <25.64%> (-0.17%) ⬇️
CI-GHA 98.92% <100.00%> (+0.03%) ⬆️
OS-Linux 98.68% <100.00%> (+0.04%) ⬆️
OS-Windows 97.05% <100.00%> (+0.02%) ⬆️
OS-macOS 97.95% <100.00%> (+0.04%) ⬆️
Py-3.10 98.17% <100.00%> (+0.05%) ⬆️
Py-3.11 98.42% <100.00%> (+0.04%) ⬆️
Py-3.12 98.51% <100.00%> (+0.04%) ⬆️
Py-3.13 98.49% <100.00%> (+0.04%) ⬆️
Py-3.14 98.51% <100.00%> (+0.04%) ⬆️
Py-3.14t 97.59% <100.00%> (+0.06%) ⬆️
Py-pypy-3.11 97.44% <100.00%> (+0.04%) ⬆️
VM-macos 97.95% <100.00%> (+0.04%) ⬆️
VM-ubuntu 98.68% <100.00%> (+0.04%) ⬆️
VM-windows 97.05% <100.00%> (+0.02%) ⬆️
cython-coverage 38.07% <48.71%> (+0.10%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

@codspeed-hq

codspeed-hq Bot commented May 31, 2026
edited
Loading

Copy link
Copy Markdown

Merging this PR will not alter performance

✅ 79 untouched benchmarks
⏩ 79 skipped benchmarks1

Comparing rodrigobnogueira:fix/ws-connection-token-check (defc2a7) with master (c67c9e4)2

Open in CodSpeed

Footnotes

  1. 79 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports.

  2. No successful run was found on master (c41e3b6) during the generation of this report, so c67c9e4 was used instead as the comparison base. There might be some changes unrelated to this pull request in this report.

@rodrigobnogueira
Rephrase changelog to avoid 'substring' (docs spell check)
acbe0d7
@rodrigobnogueira
Guard non-ASCII tokens in WebSocket client Connection check
602a401 
Mirror http_parser._parse_headers exactly: add the token.isascii()
filter so non-ASCII case folding cannot influence the membership test,
matching the parser convention the change cites.
@rodrigobnogueira
Strengthen WebSocket client Connection-header handshake tests
2b731e5 
Turn the multi-token test into a parametrized positive handshake
assertion covering case folding, surrounding whitespace, and non-first
token position -- each rejected by the old exact-equality check -- and
clarify that the substring test guards against a naive 'in' check.
@rodrigobnogueira
Reword 12746 changelog to describe only the behavior change
19e4a69 
Rejecting non-token values such as 'keep-alive, notupgrade' was already
the prior behavior, so it is not part of the fix.
Dreamsorcerer
Dreamsorcerer reviewed May 31, 2026
View reviewed changes
Comment thread aiohttp/client.py
@rodrigobnogueira
Reuse the parser's Connection upgrade flag in the WS client handshake
7e82464 
Rather than re-tokenizing the response Connection header in the client,
preserve the HTTP parser's already-tokenized upgrade decision on
ClientResponse (resp._upgraded) and check that during the WebSocket
handshake. This mirrors the server-side check (web_ws uses
request._message.upgrade) and means the RFC 9110 §7.6.1 tokenization
lives in one place. Multi-token responses such as
"Connection: upgrade, keep-alive" are accepted as before.
@rodrigobnogueira
Test WebSocket Connection upgrade-token handling via the parser
4e4f679 
Move the Connection tokenization coverage to where the logic now lives:
the response parser (covering both the C and pure-Python parsers), plus
a ClientResponse.start() test that the upgrade flag is preserved. The
ws_connect tests now exercise the resp._upgraded check directly.
@Dreamsorcerer

Dreamsorcerer commented Jun 8, 2026

Copy link
Copy Markdown
Member

Is this PR ready? Still seems to marked as draft..

@rodrigobnogueira rodrigobnogueira marked this pull request as ready for review June 8, 2026 17:55
Dreamsorcerer
Dreamsorcerer reviewed Jun 9, 2026
View reviewed changes
Comment thread aiohttp/client.py Outdated
Dreamsorcerer
Dreamsorcerer reviewed Jun 9, 2026
View reviewed changes
Comment thread aiohttp/client_reqrep.py Outdated
@Dreamsorcerer Dreamsorcerer added bot:chronographer:skip This PR does not need to include a change note backport-3.15 Trigger automatic backporting to the 3.15 release branch by Patchback robot labels Jun 9, 2026
@Dreamsorcerer Dreamsorcerer merged commit ff38c23 into aio-libs:master Jun 9, 2026
50 of 51 checks passed
@patchback

patchback Bot commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Backport to 3.15: 💔 cherry-picking failed — conflicts found

❌ Failed to cleanly apply ff38c23 on top of patchback/backports/3.15/ff38c236ce9cda3a05ae01e7a967012e05074fe6/pr-12746

Backporting merged PR #12746 into master

  1. Ensure you have a local repo clone of your fork. Unless you cloned it
    from the upstream, this would be your origin remote.
  2. Make sure you have an upstream repo added as a remote too. In these
    instructions you'll refer to it by the name upstream. If you don't
    have it, here's how you can add it: 
    $ git remote add upstream https://github.com/aio-libs/aiohttp.git
  3. Ensure you have the latest copy of upstream and prepare a branch
    that will hold the backported code: 
    $ git fetch upstream
$ git checkout -b patchback/backports/3.15/ff38c236ce9cda3a05ae01e7a967012e05074fe6/pr-12746 upstream/3.15
  4. Now, cherry-pick PR Tokenize Connection header in WebSocket client handshake #12746 contents into that branch: 
    $ git cherry-pick -x ff38c236ce9cda3a05ae01e7a967012e05074fe6
    If it'll yell at you with something like fatal: Commit ff38c236ce9cda3a05ae01e7a967012e05074fe6 is a merge but no -m option was given., add -m 1 as follows instead: 
    $ git cherry-pick -m1 -x ff38c236ce9cda3a05ae01e7a967012e05074fe6
  5. At this point, you'll probably encounter some merge conflicts. You must
    resolve them in to preserve the patch from PR Tokenize Connection header in WebSocket client handshake #12746 as close to the
    original as possible.
  6. Push this branch to your fork on GitHub: 
    $ git push origin patchback/backports/3.15/ff38c236ce9cda3a05ae01e7a967012e05074fe6/pr-12746
  7. Create a PR, ensure that the CI is green. If it's not — update it so that
    the tests and any other checks pass. This is it!
    Now relax and wait for the maintainers to process your pull request
    when they have some cycles to do reviews. Don't worry — they'll tell you if
    any improvements are necessary when the time comes!

🤖 @patchback
I'm built with octomachinery and
my source is open — https://github.com/sanitizers/patchback-github-app.

@rodrigobnogueira rodrigobnogueira mentioned this pull request Jun 12, 2026
Merged
5 tasks
Dreamsorcerer pushed a commit that referenced this pull request Jun 13, 2026
@rodrigobnogueira
[PR #12746/ff38c236 backport][3.15] Tokenize Connection header in Web…
51d6ea5 
…Socket client handshake (#12904)

**This is a backport of PR #12746 as merged into master
(ff38c23).**
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Dreamsorcerer Dreamsorcerer Dreamsorcerer left review comments

@webknjaz webknjaz Awaiting requested review from webknjaz

@asvetlov asvetlov Awaiting requested review from asvetlov asvetlov is a code owner

Assignees

No one assigned

Labels

backport-3.15 Trigger automatic backporting to the 3.15 release branch by Patchback robot bot:chronographer:provided There is a change note present in this PR bot:chronographer:skip This PR does not need to include a change note

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rodrigobnogueira @Dreamsorcerer