- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Mon, 20 Jul 2015 21:27:37 +1200
- To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
On 20/07/2015 8:35 p.m., Stefan Eissing wrote: > >> Am 20.07.2015 um 10:06 schrieb Erik Nygren: >> >> This is helpful. Since it sounds like both IIS/http.sys and Apache have http/2 >> implementations that effectively ignore :scheme by default and return https-scheme >> content when receiving :scheme=http over h2+TLS, I wouldn't be surprised >> if many other implementations ended up in the same boat. I'm aware of one >> other implementation that started off doing this as well. > > Well, as the one implementing http/2 in Apache, let me say that we do not "end" in > this boat. We "start" in this boat because requirements and concepts of OE are new > in http server configs. If existing servers treat port <=> scheme that seems > a reasonable assumption *pre* OE. The algorthm in RFC 7230 section 5.5 explicitly starts off with the clause: " If the request-target is in absolute-form, the effective request URI is the same as the request-target. " The association of port<=>scheme is only placed later in the algorithm, with clear guideline on what details have to be missing for it to be assumed. For consistency, if nothing else, the same algorithm should be used for HTTP/2 message interpretation. Only... In HTTP/2 the :scheme pseudo-header and others needed to form absolute-URI are mandatory. Which makes it always have a well-formed request-target. That was intentionally done to avoid exactly this bug from occuring. It saddens me greatly to hear that servers are ignoring it already on grounds of that being how they treat HTTP/1. Amos
Received on Monday, 20 July 2015 09:28:47 UTC