Service Worker version reported is inaccurate

[machawk1]

Current master branch head abaa35a

In Options and Details, the Service Worker is reported as "ver. 3.0.1 Python".

The basis of this looks to be parsed from the Server header via webui.js.

[machawk1]

This is likely due to there being two Server HTTP response headers:

% curl -I http://localhost:2016

HTTP/1.1 200 OK
Server: Werkzeug/3.0.1 Python/3.12.0
Date: Fri, 24 May 2024 14:47:24 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 3504
Server: InterPlanetary Wayback Replay/0.2023.08.16.1719
Connection: close

The first one ought to be suppressed.

[machawk1]

In replay.py:

@app.after_request
def set_server_header(response):
    response.headers['Server'] = ('InterPlanetary Wayback Replay/'
                                  f'{ipwb_version}')
    response.autocorrect_location_header = False
    return response

...this header is being overwritten but for some reason is instead being appended.

[machawk1]

response.headers in the above function reports to only have Content-Type and Content-Length. I am wondering if Server is prepended elsewhere.

[machawk1]

The homepage is invoked via render_template() in show_landing_page().

[machawk1]

It appears that Flask automatically wraps the returned string of render_template() in a response object. Changing this to explicitly be a response object might remedy this issue.

[machawk1]

Wrapping the string in a make_response-generated response object and returning that still produces the Werkzeug/3.0.1 Python/3.12.0 Server header. Changing this value before returning show_landing_page does not affect the ultimate value returned.

Other headers (e.g., 'Foo') can be set here and are displayed in the response but Server remains unchanged.

[machawk1]

I am wondering if this behavior is new to Werkzeug 3, which was released in September 2023.

EDIT: Werkzeug==2.3.8 has two headers as well. Maybe try an older version of Flask (currently on Flask v. 2.3.2)
EDIT: Updating Flask to the latest, the problem remains.

[machawk1]

Note, this issue is also present in the HTTP response headers for mementos, so adjusting it in show_landing_page() won't resolve the issue elsewhere.

[machawk1]

MWE:

from flask import (
    Flask, make_response
)

app = Flask(__name__)

@app.route('/')
def home():
  resp = make_response('lorem ipsum')
  resp.headers['Server'] = "My Server"
  return resp

app.run()

% curl -I http://127.0.0.1:5000
HTTP/1.1 200 OK
Server: Werkzeug/3.0.3 Python/3.12.0
Date: Fri, 24 May 2024 15:35:37 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 11
Server: My Server
Connection: close

[machawk1]

I asked about this on the Pallets Discord.

[machawk1]

It is sounding like it is not possible. Perhaps we can store the IPWB version in another header and reference it.

[machawk1]

Other advice from Discord:

• Try server settings, your application server or proxy server, not in the flask application
• As far as I can tell, it is only included when running the development server.
• yeah in fact the server header isn't even present on the response in the flask app, the application server adds it
• so gunicorn or some other wsgi server might have a configuration that would change what it sets
• It provides the value as an override for the core Python value. If you are trying to remove or replace the server value for security reasons, stop now and use a different server. See https://docs.python.org/3/library/http.server.html#http-server-security for more details.

[machawk1]

The JS fetch to get the server headers combines both server headers into one string with a space delimitation. I am not sure whether having two Server response headers is valid. Regardless, the logic to extract the ipwb version needs to not look at the element at index 1 but instead string.split.at(-1). This should give us the ipwb version.