Should the Accept header be validated?

[huntc]

Summary

I just noticed that I can have Axum returning any content that it wants to without the Accept header having been checked. Should it be possible, say, for an application to return application/json where no Accept header allows it?

Otherwise, there's a bit of boilerplate I now need for each request:

// The following 3 lines could be within a function
let mut accept_types = headers
    .get(ACCEPT)
    .and_then(|ct| ct.to_str().ok().map(String::from))
    .unwrap_or_else(|| "*/*".to_string());
accept_types.retain(|c| !c.is_whitespace());
accept_types.push(',');

if accept_types.contains("text/csv,")
    || accept_types.contains("text/*,")
    || accept_types.contains("*/*,")
{
    // TODO: Stream out the events as a CSV
    Ok(())
} else {
    Err(StatusCode::UNSUPPORTED_MEDIA_TYPE)
}

axum version

0.7.4

[davidpdrsn]

Should it be possible, say, for an application to return application/json where no Accept header allows it?

Yes. It would be way too restrictive otherwise. I can already see all the issues coming if we enforced something like that.

[huntc]

I certainly don’t want to create a support issue! :-)

Isn’t it wrong to return a resource with a content type that the request or is unwilling to accept?

[davidpdrsn]

Isn’t it wrong to return a resource with a content type that the request or is unwilling to accept?

I'll let you decide that. I don't think its something that should be enforced at the framework level.

If its something you want then you have to enforce it yourself. Not sure if a crate exists for it.