Runtime: System.Net.Http.Json: Consider relaxing content type verification in ReadFromJsonAsync

Created on 2 Jul 2020  路  14Comments  路  Source: dotnet/runtime

I'm doing interop with aria2. It's using application/json-rpc for its returning content type, which is refused by ReadFromJsonAsync.

Proposed solutions:
  1. Add a boolean parameter to totally bypass content type checking.
  2. Pass a string as the expected content type.
  3. Widen the accepted content types to include it. I'm not very familiar to the specification of content type, and not sure whether StartsWith is abusing it.
Current workaround:

Copy the implementation and delete code doing verification.
This is opposed to the purpose of System.Net.Http.Json. They are mostly simple helpers. If there's some restriction makes it unusable, the whole type becomes no-sense.

area-System.Net.Http up-for-grabs
Source
picture huoyaoyuan

Most helpful comment

I think we should not check content type, but if parser throws an exception, throw with a message like "Content of type '{0}' was not valid json...".

picture scalablecory on 7 Jul 2020
👍7

All 14 comments

Tagging subscribers to this area: @dotnet/ncl
Notify danmosemsft if you want to be subscribed.

msftbot[bot] picture msftbot[bot] on 2 Jul 2020

@Jozkee @layomia

scalablecory picture scalablecory on 2 Jul 2020

Yeah. There are so many weird servers that send weird content media types, in which case System.Net.Http.Json would be worthless.

The first option would solve all problems:

  1. Add a boolean parameter to totally bypass content type checking.
samsosa picture samsosa on 3 Jul 2020

This seems worth doing to me. At least to make it configurable.

scalablecory picture scalablecory on 6 Jul 2020

Why would this need to be configurable? Couldn't you just check the Content-Type header yourself before calling ReadFromJsonAsync if you want content type checking? If the body's not actually Json, parsing would fail anyway.

halter73 picture halter73 on 6 Jul 2020

Do we enforce content type for other methods like ReadAsStringAsync?

Seems like we just shouldn't check Content-Type here at all.

geoffkizer picture geoffkizer on 6 Jul 2020
👍2

Why would this need to be configurable? Couldn't you just check the Content-Type header yourself before calling ReadFromJsonAsync if you want content type checking? If the body's not actually Json, parsing would fail anyway.

Yep, I should have been more clear -- I think we should get rid of the check. And if there is a reason to care (@rynowak? @Jozkee?) then it should be configurable.

scalablecory picture scalablecory on 7 Jul 2020
👍2

The main reason to have it was to have parity with the old APIs from System.Net.Http.Formatting
https://dotnetfiddle.net/ijQAdJ

Linking the original discussion for such check https://github.com/dotnet/runtime/pull/33459#discussion_r390700364.

If other ReadAs* methods does not have such validation I would agree on adding a parameter to bypass the validation or even remove it so people that is not very experienced in using the HTTP APIs don't get frustrated by this error (https://github.com/dotnet/aspnetcore/issues/21288).

cc @pranavkm @terrajobst

Keep in mind that these APIs are already available as a NuGet package that targets netcoreapp3.1 and netstandard2.0; if we decide to change behavior here would that be considered a breaking change?

Jozkee picture Jozkee on 7 Jul 2020

System.Net.Http.Formatting performed content-negotation, hence it made sense for it to complain about an unknown media type.

With S.Net.Http.Json since you're explicitly asking to read JSON, there isn't much value in trying to validate this. What would help, is to include the media type as part of the error if deserializing fails and the content-type is unknown. This may help users self-diagnose a little better:

C# try { return DeserializeAsync(); } catch (JsonException ex) when (IsNotJsonContentType()) { throw new DivideByZeroException("It does not look like you're reading json. Here's your content-type {content-type}. ", ex); }

Keep in mind that these APIs are already available as a NuGet package that targets netcoreapp3.1 and netstandard2.0; if we decide to change behavior here would that be considered a breaking change?

The code would have previously thrown when it encountered an unsupported media type. It wouldn't be a breaking change if it was more accomodating.

pranavkm picture pranavkm on 7 Jul 2020
👍1

The original intent for the check (in this iteration of the library) is to make sure you get a reasonable error message when parsing fails. The really common case is when you're interacting with a website that returns an HTML page on a failure.

rynowak picture rynowak on 7 Jul 2020

@pranavkm @rynowak

So what do you think the ideal change is? We could check the content type and throw a better exception for known content types that are common and unlikely to produce JSON, such as text/html. This would catch common issues resulting in parser errors while avoiding an overly aggressive content type enforcement.

terrajobst picture terrajobst on 7 Jul 2020

I think we should not check content type, but if parser throws an exception, throw with a message like "Content of type '{0}' was not valid json...".

scalablecory picture scalablecory on 7 Jul 2020
👍7

馃憤 with @scalablecory's suggestion. We want to give users good diagnostics when parsing fails rather than police the web.

pranavkm picture pranavkm on 7 Jul 2020

I think we should not check content type, but if parser throws an exception, throw with a message like "Content of type '{0}' was not valid json...".

In that case this is my understanding of the change:

  1. Remove MediaType-related validations.
  2. Wrap JsonSerializer.DeserializeAsync on a try-catch.
  3. Append the MediaType before rethrowing.
Jozkee picture Jozkee on 7 Jul 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jchannon picture jchannon  路  3Comments
aggieben picture aggieben  路  3Comments
EgorBo picture EgorBo  路  3Comments
btecu picture btecu  路  3Comments
matty-hall picture matty-hall  路  3Comments