RE: HTTP/1.1 proxy behavior when Host differs from absoluteURI from Richard Wheeldon (rwheeldo) on 2014-03-11 (ietf-http-wg@w3.org from January to March 2014)

From: Richard Wheeldon (rwheeldo) <rwheeldo@cisco.com>
Date: Tue, 11 Mar 2014 17:33:50 +0000
To: "HTTP Working Group (ietf-http-wg@w3.org)" <ietf-http-wg@w3.org>
Message-ID: <0566CA5E9B906D40B6737DD47DA9FB8F1AE43510@xmb-rcd-x04.cisco.com>

I think it's ambiguous. Squid will change the host to match that found in the URI. Our CWS proxy will simply disallow and reject the request. This is not compliant but no-one has ever complained and I don't think I see any legitimate use case for allowing this. It also smells like there could be a vulnerability to exploit in certain circumstances. Don't expect it to work well in practice.

Regards,

Richard

From: Daniel Sommermann [mailto:dcsommer@fb.com]
Sent: 11 March 2014 16:35
To: HTTP Working Group
Subject: HTTP/1.1 proxy behavior when Host differs from absoluteURI

What is the correct behavior for a (forward) proxy that receives a request with an absoluteURI that differs from the Host header? 5.1.2 suggests that the Host header should be ignored ("Note that the proxy MAY forward the request on to another proxy or directly to the server specified by the absoluteURI"). 5.2 seems to suggest the same, but this section is scoped to the behavior of the origin server, not for a proxy.

If the Host header should be ignored for forwarding by the proxy, should the Host header be stripped or forwarded to the next hop?

Received on Tuesday, 11 March 2014 17:34:19 UTC