Missing validation of value field in HTTPHeader

[kwaszczuk]

What happened:
Even though the HTTPHeader API reference explicitly states: "HTTPHeader represents an HTTP Header name and value as defined by RFC 7230.", the Gateway API does not validate HTTPHeader.value field at all. This allows header values to be defined with invalid characters according to RFC 7230, such as newlines (\n) and carriage returns (\r).

This can have dramatic effects, breaking entire routing configurations in some implementations, e.g. Istio (see the example below), where including invalid header values causes the entire routing provisioning to fail.

What you expected to happen:
The Gateway API should validate HTTPHeader.value field according to RFC 7230 specification.

How to reproduce it (as minimally and precisely as possible):

1. Create a Gateway resource my-gateway using Istio implementation:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: my-gateway
  namespace: default
spec:
  gatewayClassName: istio
  listeners:
  - allowedRoutes:
      namespaces:
        from: Same
    name: http
    port: 80
    protocol: HTTP

2. Create a HTTPRoute resource with a ResponseHeaderModifier with a header value containing newline or carriage return characters

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: header-test
spec:
  parentRefs:
  - name: my-gateway
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /test
    filters:
    - type: ResponseHeaderModifier
      responseHeaderModifier:
        add:
        - name: X-Test-Header
          value: "this\nis\rinvalid\r\nvalue"

3. Apply the configuration to a cluster
4. Observe that the configuration is accepted without validation errors, resulting in Istio's RDS (route discovery service) being completely out of order:

$ kubectl logs -n istio-system -l app=istiod --tail=100000000 -c discovery | grep "ERROR"
2025-03-09T22:56:44.871781Z     warn    delta   ADS:RDS: ACK ERROR my-gateway-istio-59fd8d6848-w9h5s.default-2141 Internal:Proto constraint validation failed (RouteConfigurationValidationError.VirtualHosts[0]: embedded message failed validation | caused by VirtualHostValidationError.Routes[0]: embedded message failed validation | caused by RouteValidationError.ResponseHeadersToAdd[0]: embedded message failed validation | caused by HeaderValueOptionValidationError.Header: embedded message failed validation | caused by HeaderValueValidationError.Value: value does not match regex pattern "^[^\x00\n\r]*$"): name: "http.80"

$ istioctl proxy-status
NAME                                          CLUSTER        CDS              LDS              EDS              RDS             ECDS        ISTIOD                      VERSION
my-gateway-istio-59fd8d6848-w9h5s.default     Kubernetes     SYNCED (42s)     SYNCED (42s)     SYNCED (44s)     ERROR (42s)     IGNORED     istiod-688bc8bb9f-dgr4t     1.25.0

Anything else we need to know?:
I believe this should be straightforward to address, so I am willing to contribute a fix.

[youngnick]

Yes, agreed, this is a bug, we should have validation to ensure that values match what's specified.

However, the tricky part is that this is technically a breaking change, since we are tightening validation (by including some). Personally, I think this is okay in this instance because, as you say, there's no real way to use this for good - it's almost guaranteed to be broken.

@robscott @shaneutt @mlavacca thoughts?

[robscott]

Thanks for catching this @kwaszczuk! I agree that we should fix this, but let's start with validation that's limited to experimental channel, and then bring it to standard channel in a follow up release as this is a breaking change like @youngnick said.

[kflynn]

+1 to experimental-first...