Skip to content

fix(mcp): split header value only on first colon in headerParser#39401

Open
furkankoykiran wants to merge 2 commits intomicrosoft:mainfrom
furkankoykiran:fix/header-parser-colon-truncation
Open

fix(mcp): split header value only on first colon in headerParser#39401
furkankoykiran wants to merge 2 commits intomicrosoft:mainfrom
furkankoykiran:fix/header-parser-colon-truncation

Conversation

@furkankoykiran
Copy link

@furkankoykiran furkankoykiran commented Feb 25, 2026

Summary

Fix headerParser function in packages/playwright/src/mcp/browser/config.ts that silently truncates header values containing colons.

Problem

The headerParser function used arg.split(':') which splits on all colons in the string. JavaScript destructuring const [name, value] only captures the first two array elements, silently discarding any content after the second colon.

This caused header values containing colons to be silently truncated:

Input Expected Actual (before fix)
X-Custom: http://example.com http://example.com http
X-Forwarded-Proto: value:with:colons value:with:colons value

This affects:

  • --cdp-header CLI flag
  • PLAYWRIGHT_MCP_CDP_HEADERS environment variable
  • Any header value containing URLs (http://, https://), port numbers (host:port), or Base64 strings with colons

Solution

Replace arg.split(':') with arg.indexOf(':') + arg.substring() to split only on the first colon, matching the HTTP header spec (RFC 7230 Section 3.2).

 export function headerParser(arg: string | undefined, previous?: Record<string, string>): Record<string, string> {
   if (!arg)
     return previous || {};
   const result: Record<string, string> = previous || {};
-  const [name, value] = arg.split(':').map(v => v.trim());
-  result[name] = value;
+  const colonIndex = arg.indexOf(':');
+  if (colonIndex === -1)
+    return result;
+  const name = arg.substring(0, colonIndex).trim();
+  const value = arg.substring(colonIndex + 1).trim();
+  result[name] = value;
   return result;
 }

Test Results

Added unit tests in tests/mcp/header-parser.spec.ts covering:

  • ✅ Simple header parsing
  • ✅ Header values containing URLs (colons in ://)
  • ✅ Header values with multiple colons
  • ✅ Undefined and empty input handling
  • ✅ Headers without colons (malformed)
  • ✅ Whitespace trimming
  • ✅ Header accumulation with previous parameter

Local verification: 8/8 tests passed

Fixes microsoft/playwright-mcp#1417

@furkankoykiran
fix(mcp): split header value only on first colon in headerParser
0dd8f1e 
The headerParser function used arg.split(':') which splits on ALL
colons in the string. JavaScript destructuring only captures the first
two array elements, silently discarding content after the second colon.

This caused header values containing colons (URLs with ://, port
numbers, Base64 strings) to be silently truncated.

The fix uses indexOf(':') + substring() to split only on the first
colon, matching the HTTP header spec (RFC 7230 Section 3.2).

Fixes microsoft/playwright-mcp#1417
@furkankoykiran
test(mcp): add unit tests for headerParser colon handling
61118d0 
Add comprehensive tests for the headerParser function to verify
that header values containing colons (URLs, multi-colon values)
are preserved correctly.

Fixes microsoft/playwright-mcp#1417
@furkankoykiran
Copy link
Author

furkankoykiran commented Feb 25, 2026

@microsoft-github-policy-service agree

@furkankoykiran furkankoykiran mentioned this pull request Feb 25, 2026
Open
yury-s
yury-s reviewed Feb 25, 2026
View reviewed changes
packages/playwright/src/mcp/browser/config.ts
const result: Record<string, string> = previous || {};
const [name, value] = arg.split(':').map(v => v.trim());
const colonIndex = arg.indexOf(':');
if (colonIndex === -1)
Copy link
Member

@yury-s yury-s Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will lose support for headers with empty value.

tests/mcp/header-parser.spec.ts
*/

import { test, expect } from '@playwright/test';
import { headerParser } from '../../packages/playwright/src/mcp/browser/config';
Copy link
Member

@yury-s yury-s Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's instead add an integration test that validates the user-facing functionality. We normally don't write unit tests in playwright.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yury-s yury-s yury-s left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug: headerParser truncates header values containing colons (e.g., Authorization: Bearer tokens)

2 participants

@furkankoykiran @yury-s