W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2009

Re: Host header vs host in absolute-URI

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Fri, 17 Jul 2009 20:34:55 +0200
To: Adrien de Croy <adrien@qbik.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <1247855695.22191.16.camel@localhost.localdomain>
lör 2009-07-18 klockan 00:55 +1200 skrev Adrien de Croy:

> The scenario that has me concerned is where there's a request in the 
> form of an Absolute-URI to a proxy, but the host in the Absolute-URI 
> doesn't match the host in the Host header.
> 
> When a proxy receives such a request, if it doesn't look for consistency 
> between these 2 values, it would use the host in the URI, and connect to 
> that, and send the original untouched Host header (denoting some other 
> host and/or port than the one connected to).

That's a broken proxy. Proxies have to obey the client requirements just
as any other client, and sending out requests with a different Host
header than the host component of the Requested-URI is plain broken
(violating a MUST requirement).

When a proxy gets a request with mismatch between Host and Request-URI
it has two options:

a) Reject the request as malformed with 400 Bad Request

b) Drop the received Host header and add back one using the host
component from Request-URI, as if the received request was an HTTP/1.0
request without Host.

For simplicity I unconditionally do 'b' without even looking at the
received Host header.

> Do any browsers allow script to alter the host header in requests?

Very much doubt so.

> Should a proxy be concerned about this possibility?  If so, what should 
> it do?

Yes.

> a) rewrite the Host header always with the host from the URI regardless.
> b) bounce the request with a 400 if they don't match

Pick the one you prefer.

> or something else?

Not that I know of. But then I haven't been verifying Host header
correctness ever... 

> My preference would be b, but does that break any valid uses?

It should not.

Regards
Henrik
Received on Friday, 17 July 2009 18:35:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:07 GMT