Skip to content

fix(mcp): headerParser truncates header values containing colons#39469

Closed
2150997113 wants to merge 1 commit intomicrosoft:mainfrom
2150997113:fix/header-parser-colon-bug
Closed

fix(mcp): headerParser truncates header values containing colons#39469
2150997113 wants to merge 1 commit intomicrosoft:mainfrom
2150997113:fix/header-parser-colon-bug

Conversation

@2150997113
Copy link

@2150997113 2150997113 commented Mar 1, 2026

Summary

Fixes microsoft/playwright-mcp#1417

The headerParser function in packages/playwright-core/src/mcp/browser/config.ts used split(':') which splits on all colons in the string. JavaScript destructuring const [name, value] only captures the first two array elements, silently discarding any content after the second colon.

Impact

This bug affects:

  • --cdp-header CLI flag
  • PLAYWRIGHT_MCP_CDP_HEADERS environment variable

Examples of truncated headers:

Input Expected Actual (Before Fix)
X-Custom: http://example.com http://example.com http
X-Auth: token:secret:data token:secret:data token
X-Host: localhost:8080 localhost:8080 localhost

Fix

Split only on the first colon using indexOf(':') and substring(), which matches the HTTP header spec (RFC 7230 Section 3.2): header field values can contain colons, only the first colon separates name from value.

Test Plan

Added comprehensive test cases in tests/mcp/config.spec.ts:

  • Standard header without colon in value
  • Header with URL in value (http://example.com)
  • Header with multiple colons in value
  • Header with port number in value
  • Multiple headers via previous parameter
  • Header with whitespace
  • Empty/undefined input
  • Header without colon returns empty result

All tests pass:

✓ tests/mcp/config.spec.ts:160:5 › headerParser should parse header with value containing colons (14ms)

@2150997113
Copy link
Author

2150997113 commented Mar 1, 2026

@microsoft-github-policy-service agree

@yury-s
Copy link
Member

yury-s commented Mar 2, 2026

FYI, there is already an open PR for the same issue.

yury-s
yury-s reviewed Mar 2, 2026
View reviewed changes
@github-actions

This comment has been minimized.

Sign in to view
fix(mcp): headerParser truncates header values containing colons
437c7cb 
The headerParser function used split(':') which splits on ALL colons,
causing header values like 'http://example.com' to be truncated to 'http'.
This affects --cdp-header CLI flag and PLAYWRIGHT_MCP_CDP_HEADERS env var.

Fix by splitting only on the first colon, as per HTTP header spec (RFC 7230).

Fixes microsoft#1417
@2150997113 2150997113 force-pushed the fix/header-parser-colon-bug branch from ac747df to 437c7cb Compare March 3, 2026 02:25
yury-s
yury-s approved these changes Mar 3, 2026
View reviewed changes
tests/mcp/cdp.spec.ts
});

test('cdp server with headers containing colons', async ({ startClient, server }) => {
// Regression test for https://github.com/microsoft/playwright-mcp/issues/1417
Copy link
Member

@yury-s yury-s Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: we usually use

test('cdp server with headers containing colons', {
  annotation: { type: 'issue', description: 'https://github.com/microsoft/playwright-mcp/issues/1417' },
},async ({ startClient, server }) => {

@github-actions
Copy link
Contributor

github-actions bot commented Mar 3, 2026

Test results for "MCP"

6 failed
❌ [chromium] › mcp/roots.spec.ts:47 › check that trace is saved in workspace @mcp-windows-latest
❌ [chrome] › mcp/http.spec.ts:210 › http transport browser lifecycle (persistent) @mcp-macos-15
❌ [chromium] › mcp/http.spec.ts:210 › http transport browser lifecycle (persistent) @mcp-macos-15
❌ [firefox] › mcp/http.spec.ts:210 › http transport browser lifecycle (persistent) @mcp-macos-15
❌ [webkit] › mcp/http.spec.ts:210 › http transport browser lifecycle (persistent) @mcp-macos-15
❌ [webkit] › mcp/sse.spec.ts:160 › sse transport browser lifecycle (persistent) @mcp-macos-15

5218 passed, 171 skipped

Merge workflow run.

yury-s
yury-s approved these changes Mar 3, 2026
View reviewed changes
tests/mcp/cdp.spec.ts
// Regression test for https://github.com/microsoft/playwright-mcp/issues/1417
let customHeader = '';
server.setRoute('/json/version/', (req, res) => {
customHeader = req.headers['x-custom'];
Copy link
Member

@yury-s yury-s Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's fix the lint error and we can merge this.

@pavelfeldman
Copy link
Member

pavelfeldman commented Mar 9, 2026

ping?

@yury-s
Copy link
Member

yury-s commented Mar 10, 2026
edited
Loading

It was fixed in #39401

@yury-s yury-s closed this Mar 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yury-s yury-s yury-s approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug: headerParser truncates header values containing colons (e.g., Authorization: Bearer tokens)

3 participants

@2150997113 @yury-s @pavelfeldman