W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2009

Host header vs host in absolute-URI

From: Adrien de Croy <adrien@qbik.com>
Date: Sat, 18 Jul 2009 00:55:02 +1200
Message-ID: <4A6074A6.3010504@qbik.com>
To: HTTP Working Group <ietf-http-wg@w3.org>

I raised this a while back but there was no real comment on it (that I saw).

I've been doing a bit more thinking on this.

The scenario that has me concerned is where there's a request in the 
form of an Absolute-URI to a proxy, but the host in the Absolute-URI 
doesn't match the host in the Host header.

When a proxy receives such a request, if it doesn't look for consistency 
between these 2 values, it would use the host in the URI, and connect to 
that, and send the original untouched Host header (denoting some other 
host and/or port than the one connected to).

This has several possible problems.

1. If the request is then intercepted by another proxy (not uncommon), 
it may only have the information (bogus) in the Host header to make a 
connection based on.
2. If the request goes to a server, the other host may also be hosted there.

This could end up only bypassing security, or worse.  Is this an 
opportunity for a XSS attack?

Do any browsers allow script to alter the host header in requests?

Should a proxy be concerned about this possibility?  If so, what should 
it do?

a) rewrite the Host header always with the host from the URI regardless.
b) bounce the request with a 400 if they don't match

or something else?

My preference would be b, but does that break any valid uses?

Regards

Adrien

-- 
Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
Received on Friday, 17 July 2009 12:52:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:07 GMT