Changelog

odoo/odoo#203422

Created by SM Learn, Julien Castiaux (juc)

Merged at a2e76a9493f1eb4d89b3a7427da01a58c4f96c91

Statuses:

legal/cla: Contributor License Agreement check
ci/runbot: Odoo Test Suite
ci/upgrade_enterprise: Test upgrades for enterprise master
ci/template: Contact runbot team on discord for help.
ci/style: Optional style check. Ignore it only if strictly necessary.
ci/security: Required security check. Can only be ignored by security team.

label: odoo-dev:17.0-http-duplicate-date-header-juc
head: 0b79a19e63948ff4d2b56a7214f9e7874da1432f
merged: 2 months ago by SM Learn, Julien Castiaux (juc)

	odoo/odoo
17.0	#203422
saas-17.4	#206505

[FIX] core: don't send Date header twice

Werkzeug historically prevented sending the same header twice¹ but a refactor done with Werkzeug 2.0.0 removed that code². Additionnally http.server.BaseHTTPRequestHandler.send_response³ always send both the Server and Date header, no matter if those headers are actually present in the response already. The Werkzeug team is aware (issue 2500) of this issue but they considere rightfuly that (1) we shouldn't be using their builtin http server, and (2) that it is a problem to be solved upstream in CPython.

We usually don't send those two headers, and let werkzeug/http.server send them for us. But when using Response.make_conditional, Werkzeug is gonna force a Date header with the response. This is desirable because the Date is very when doing conditional requests, as the resource might have been created in the past but be still fresh.

The result is that when using Response.make_conditional, there are 2 Date headers in the response. This is not a problem when the two Date headers have the same value, but nginx is still sending warnings. The operational team here at Odoo wants to get rid of those silly warnings.

In this work we silently discard the second Date/Server header in case it has the same value as the first one. And we emit a warning may those two values be different.

Note that the header that is discard is the one from the response, and not the one that http.server always send with send_response. Ideally we should do the contrary: discard the one of send_response and keep the one from the response, but that's more complicated, and we don't need it at the moment.

Description of the issue/feature this PR addresses:

Current behavior before PR:

Desired behavior after PR is merged:

I confirm I have signed the CLA and read the PR guidelines at www.odoo.com/submit-pr

pallets/werkzeug:37b3fcc ↩
pallets/werkzeug:d062807 ↩
https://github.com/python/cpython/blob/f1967e72498209e42f7cf5eeff0cd84d1ec10d18/Lib/http/server.py#L499-L510 ↩