HttpClient automatically adds Request-Id HTTP header #35337
Comments
Dotnet-GitSync-Bot
added
area-System.Net.Http
untriaged
|
Tagging subscribers to this area: @dotnet/ncl |
HttpClient API does not add "Request-Id" HTTP request header. How did you confirm that HttpClient was adding this request header? Was it by inspecting request headers received by the server? It's quite possible that a front-end proxy etc. is adding these headers on your behalf. |
Actually, DiagnosticHandler does: but only if the diagnostics are enabled: |
|
See this thread for clarity dotnet/aspnetcore#21012 (comment) |
|
The docs are lacking in this area cc @noahfalk @shirhatti |
|
@davidsh You can see how surprised I was when I realized the framework was doing this, and yet again just now when I heard that this is intentional behavior, and that there are no plans to fix it.
I strongly disagree with this. Not only is it sending behavior modifying headers without explicitly opting-in, it leaks private information about my HTTP client.
As much I hate to say it, I agree with @karlra's strongly worded views on this. Even if it had been well documented, surely we don't expect every user of .NET to use a proxy, identify the weird header, google it, and then add code to opt-out? Why can't we ask users to add a line of code in their Startup.cs if they actually want such behavior? I doubt the vast majority of Asp.NET Core users know or care about features like distributed tracing. Such a feature should have been designed to be opt-in. I'm confident you'll hear the same opinion if a public poll was conducted for this. |
|
At this point if we decide to revert the behavior the question will be:
|
Following the usual pattern, something along the lines of
I'm unsure what such a scenario might be. However, I think having it be controlled by a flag like the example above is reasonable. |
This would be HttpClientFactory specific? What would it be applied to? Which HttpClients?
A global static? Where do I set it, which HttpClients does it affect? Today the HttpClients that are affected are ones that run within the current activity. That's why it can be disabled on a granular basis. |
I obviously also disagree strongly with this. Imagine the number of issues that will be raised on here about it.....The concatenation of the header that takes place if you try to set this header yourself is even worse.
Why, you hold a particular dislike for me? :) |
I forgot about that. @karlr can you file another issue for that? |
|
I included it in my original ticket, but do you want a completely separate ticket concerning just that one thing @davidfowl ? |
|
Yes in this repository with an isolated repro. |
@davidfowl From the doc you linked, we currently use code similar to the one below. Keep in mind that This way, we avoid creating a global static for this. Even if some user had multiple webservers running in the same program, each of their individual activity propagation preferences would be respected. public void OnIncomingRequest(DiagnosticListener httpListener, HttpContext context)
{
if (httpListener.IsEnabled("Http_In"))
{
Activity activity = new Activity("Http_In");
//add tags, baggage, etc.
activity.SetParentId(context.Request.headers["Request-id"])
foreach (var pair in context.Request.Headers["Correlation-Context"])
{
var baggageItem = NameValueHeaderValue.Parse(pair);
activity.AddBaggage(baggageItem.Key, baggageItem.Value);
}
httpListener.StartActivity(activity, new {context});
try {
//process request ...
} finally {
//stop activity
httpListener.StopActivity(activity, new {context} );
}
}
}I think having 10% of users enable a feature that they actually want is much more preferable to having the other 90% disable a feature they don't.
Hah not at all! I just meant that your opinion was rather strongly worded. But still, it was apt for the issue at hand - this is very unexpected behavior for a framework. |
|
|
Just wanted to add that I originally identified this issue when debugging why a library wasn't working (so there are real-world issues that this raises). The extra If possible, let's treat this issue as slightly higher priority since others may not be able to debug at the level that I or @karlra did. And since without debugging they wouldn't know about the |
|
Related to #31261 |
|
Triage:
|
karelz
added
api-suggestion
|
@karelz Completely agree that any diagnostic feature like this should be opt-in. Could you clarify what more info we need to proceed with improving this API? |
|
I wasn't suggesting it should be opt-in. Given it is in place for few years and this is the first complain, I think opt-out is ok. We should first wait for #31261 to be designed. Then design this API to be consistent / aligned. |
Oh I misunderstood you. I believe that a big reason this is the first complaint is that very few people have noticed it so far. Even for those people, I strongly suspect they would consider this a privacy concern if they were explicitly asked if they accept this behavior. |
|
I disagree strongly with making this opt-out for so many reasons, but if that is the decision, could you at least please change it so that if you set the request-id header explicitly it counts as opting out? |
|
@karlra But then wouldn't the request-id header still be sent? |
|
@shravan2x I just mean that if the decision is that .NET will by default continue setting the request-id header for tracking purposes and expecting the developer to opt out, then explicitly setting the value of the header must completely overwrite the header instead of how it works now. |
|
@karlra that is discussed in the issue you linked, and our triage #35357 (comment) agreed with the behavior - let's keep the discussion there, separate from this one. |
|
I cant believe this is opt-in !!!! This waste 2 days for me , to find out why my request be ban . /cry |
|
While we are working on a proper solution for 6.0, if you don't care about distributed tracing at all, you can completely disable the AppContext.SetSwitch("System.Net.Http.EnableActivityPropagation", false); |
|
@MihaZupan Does this work in .NET 5.0? Are there any side effects I should know about? |
|
Yes the switch has been there for quite a while. It will completely disable the DiagnosticsHandler. All of these would only matter if you care about being a part of the distributed trace. |
|
Glad to hear! I strongly doubt any average user would want to opt-in to an analytics/tracking system like this without fully understanding it (and they probably haven't even heard of it). |
|
I don't think having it be on by default was a bad choice since realistically it's helping users that care about it while not really affecting those who don't. It isn't leaking private information - these are just long random numbers for the most part. |
|
If I understood the feature correctly, it leaks which other servers your program made a request to. This is especially concerning with large cloud solutions like AWS or Azure because they can tie different child requests together. |
ghost
added
the
in-pr
|
#50658 added a global setting that can be used to disable context propagation process-wide. DistributedContextPropagator.Current = DistributedContextPropagator.CreateNoOutputPropagator();We are also exposing a property on using var client = new HttpClient(new SocketsHttpHandler
{
ActivityHeadersPropagator = null
});For .NET 5 (and 3.1), see the workaround mentioned in #35337 (comment) |
ghost
removed
the
in-pr
ghost
locked as resolved and limited conversation to collaborators
I have an application that sends HTTP requests via HttpClient from an Asp.NET Core project. For unknown reasons, all sent requests seem to have a
Request-IdHTTP header. I'm not able to repro this in a regular console application. The docs don't have any information on disabling it.They seem to be added by the framework https://github.com/dotnet/runtime/search?q=RequestIdHeaderName&unscoped_q=RequestIdHeaderName .
The text was updated successfully, but these errors were encountered: