Node.js community finally prodded to patch Chromium XHR bug after developer refuses to let flaw stand

If at first you don't succeed, try, try... try, try, try... try again


The Node.js community has finally taken steps to address a longstanding bug that has been hobbling XHR requests over HTTP/2 in Chromium-based browsers, though the fix won't be immediately available to everyone.

"HTTP/2 XHR requests are literally broken in Chrome/Chromium, but no other browsers," explained a software developer who asked to be referred to by the pseudonym niftylettuce, in an email to The Register last week.

The XMLHttpRequest (XHR) object offers a way to fetch resources over the network. Though the recently introduced Fetch API offers a more modern alternative, XHR is still widely used.

And about half the time currently – 47.5 per cent – XHR requests travel over HTTP/2, a revision the HTTP protocol approved in 2015 and currently the recommended spec, even as HTTP/3 is starting to see some use.

For Node.js developers implementing XHR requests over HTTP/2, there have been problems. In January, Niftylettuce reported that XHR requests with a Node.js server running HTTP/2 stall and fail to end. But the problem appears to date back further given a similar bug report back in 2017 and another complaint from 2019 .

JavaScript code

Node.js creator delivers Deno 1.0, a new runtime that fixes 'design mistakes in Node'

READ MORE

"To me this is a severe and critical flaw, and potentially a vulnerability too," wrote niftylettuce. "Having something be in a stalled/queued state for an indefinite period of time can't be good…"

Based on a Shodan search, there are at least 125,000 websites potentially affected by this issue, niftylettuce said, adding that such sites probably suffer from decreased Google PageRank, PageInsights, Lighthouse scores due to the weight Google gives to HTTP/2 in its ranking algorithms.

The issue has been under discussion in various GitHub Issues threads in the Node.js repo. And a pull request submitted in June to fix the bug was just committed on Monday.

What may have finally prompted action is that niftylettuce sent out an email on Saturday to leaders in the Node.js and npm (now within GitHub) communities with a list of unfixed problems affecting the JavaScript runtime and, mostly, its package management system. These include things like lack of notifications when ownership of an npm package changes (a potential security risk), other npm shortcomings that we understand are being worked on, and the XHR bug.

The XHR fix isn't likely to appear in upcoming or past versions of Node.js all that soon because it will need to be manually backported to the current Node v14 and earlier versions.

But eventually, the bug will be exterminated. If you want changes in an open source project, you either make them yourself or make enough noise to motivate others, it appears. ®


Biting the hand that feeds IT © 1998–2020