Parse Error: Invalid header value char

[gc]

const fetch = require('node-fetch');

fetch('https://secure.runescape.com/m=hiscore_oldschool/index_lite.ws?player=magnaboy');

Fails with this error:

 FetchError: request to https://secure.runescape.com/m=hiscore_oldschool/index_lite.ws?player=magnaboy failed, reason: Parse Error: Invalid header value char
     at ClientRequest.<anonymous> (C:\project\node_modules\node-fetch\lib\index.js:1455:11)
     at ClientRequest.emit (events.js:315:20)
     at TLSSocket.socketOnData (_http_client.js:514:9)
     at TLSSocket.emit (events.js:315:20)
     at addChunk (_stream_readable.js:302:12)
     at readableAddChunk (_stream_readable.js:278:9)
     at TLSSocket.Readable.push (_stream_readable.js:217:10)
     at TLSWrap.onStreamRead (internal/stream_base_commons.js:186:23)

I tried to call this API with the exact same headers in other programming languages, in curl, wget and in all browsers - and it works in everything except nodejs, that I can find. Is it possible anyone can shed some light on this and if its possibly a problem in nodejs?

I've exhausted the depth of my ability to debug this error, and don't know how I should proceed. I reported it to the website owners but it doesnt seem practical or any priority at all for them to fix the root cause of whichever http header causes this.

[bnoordhuis]

The offending header, formatted with xxd:

00000b5e: 4d61 782d 4167 653d 3930 300d 0a3c 2053 6574 2d43 6f6f 6b69 653a 205f 5f5f  Max-Age=900..< Set-Cookie: ___
00000b7c: 7574 6d76 624b 5075 6d4c 4d4f 5a3d 415a 7a0d 0a3c 2020 2020 2058 4b70 4f4b  utmvbKPumLMOZ=AZz..<     XKpOK
00000b9a: 616c 473a 2059 7468 3b20 7061 7468 3d2f 3b20 4d61 782d 4167 653d 3930 300d  alG: Yth; path=/; Max-Age=900.
00000bb8: 0a3c 2058 2d43 444e 3a20 496e 6361 7073 756c 610d 0a3c 2054 7261 6e73 6665  .< X-CDN: Incapsula..< Transfe

The header on the last line starts with < X-CDN: and that's simply illegal; http-parser is right to reject it.

Other parsers may be more lenient but that's on them. Trying to make something meaningful out of garbage is a recipe for security issues.

[furkanmustafa]

sorry for necromancing the conversation, we're hitting a similar issue.

But, @bnoordhuis are you sure that output (you've formatted with xxd) is not curl's verbose output? Curl displays server response prefixed with < just for display purposes.