Setting pseudo-headers for H2 request

[kyrylodolynskyi]

Bug Description

I want to use undici with the allowH2 flag to overcome CloudFlare anti-DDoS behavior, this requires :method, :authority, :path, and :scheme pseudo-headers to be sent, but undici doesn't add them on its own (as browser does) and doesn't allow to set them by myself, since the header key validation from http1.1 is applied.

Reproducible By

import {fetch, Client} from 'undici'

const client = new Client(`<http2 server>`, {
  allowH2: true,
})

await fetch('<http2 resource>', {
  dispatcher: client,
  headers: {
    ':authority': '<authority>',
    ':method': 'GET',
    ':path': '<path>',
    ':scheme': 'https'
  }
})

Expected Behavior

The pseudo-headers are added by the fetch itself, or it is possible to pass them manually.

Environment

macOS Ventura 13.4.1, Node v20.5.0

[metcoder95]

We already attach the :authority, :method, and :path headers; but its true the :scheme is not added. It should be a matter of add it here:

undici/lib/client.js

Line 1691 in 5e654f3

headers[HTTP2_HEADER_AUTHORITY] = host || client[kHost]

As we do not support h2c (its non-encrypted version), it is safe to hardcode it as https.

Would you like to send a PR? 🙂

[kyrylodolynskyi]

@metcoder95 Oh, thank you for pointing me at this part of the code (I was looking at core/request.js 🤦🏼). I played with the code a little bit and found out that even adding :scheme doesn't solve my problem, but what solves is changing the order of the headers from :authority - :path - :method, to :authority - :method - :path, or :method - :authority - :path. Seems like at least for CloudFlare it is crucial for :method header to appear before :path.
I would like to open a PR to fix it, but I am not aware of any specification that documents that, so I am not sure if you would be open to such a change. WDYT?

[metcoder95]

Feel free to open a PR for changing the order 👍

By spec, the order of the headers should not be a problem; as is not specified. But it can be obvious that some prefer a given order.
Maybe if we find more issues like this one, we'll need to allow its customization.

[amitzur]

In this case this seems like misbehavior of CloudFlare. I'm in favor of a PR that changes the order, but in parallel is there a way to influence CloudFlare and bring this to their attention?

[metcoder95]

Not really sure, maybe you can open a thread on its community forum and seek of more consensus and maybe grasp is attention: https://community.cloudflare.com/

[metcoder95]

Closed by #2308