Re: Relative ordering of fields in HTTP request from Jeffrey Mogul on 2003-11-05 (ietf-http-wg@w3.org from October to December 2003)

From: Jeffrey Mogul <Jeff.Mogul@hp.com>
Date: Wed, 05 Nov 2003 10:55:14 -0800
To: Srikanth Kandula <kandula@MIT.EDU>
Cc: ietf-http-wg@w3.org
Message-Id: <200311051855.hA5ItEwJ020335@wera.hpl.hp.com>

Scott Lawrence <scott@skrb.org> writes:

    Srikanth Kandula <kandula@MIT.EDU> writes:

    > My current understanding is that header fields (say Accept: and
    > Connection: ) can fit inside a request header in any order.  Is this
    > correct?

    Yes.

    > If yes, is there a method by which one can enforce that a
    > certain field appear in certain order.
    >
    > More generally can the HTTP Server have a say in the ordering of
    > request header fields?

    No.

Scott is basically correct, but if someone out there misreads
this as "HTTP header field order does not matter at all" then
this is a mistake.

RFC2616, section 4.2 says:

   Multiple message-header fields with the same field-name MAY be
   present in a message if and only if the entire field-value for that
   header field is defined as a comma-separated list [i.e., #(values)].
   It MUST be possible to combine the multiple header fields into one
   "field-name: field-value" pair, without changing the semantics of the
   message, by appending each subsequent field-value to the first, each
   separated by a comma. The order in which header fields with the same
   field-name are received is therefore significant to the
   interpretation of the combined field value, and thus a proxy MUST NOT
   change the order of these field values when a message is forwarded.

Note the "MUST NOT" in the final sentence.

For example, on a path with a proxy the client sends a request with:

	HeaderX: A, B, C, D

or it could send the same request with:

	HeaderX: A, B
	HeaderX: C, D

It is legal for the proxy to convert that second form to

	HeaderX: A, B, C, D

but it is NOT legal for the proxy to convert it to

	HeaderX: C, D
	HeaderX: A, B

because then the ultimate recipient would see "C, D, A, B"
instead of "A, B, C, D".

This only applies to "message-header fields with the same
field-name"; section 4.2 also says:

   The order in which header fields with differing field names are
   received is not significant. 

and so it is definitely legal to reorder (for example)

	Accept: text/plain
	Connection: close

to become

	Connection: close
	Accept: text/plain

-Jeff

P.S.: Alex: does your proxy validation suite check for that
MUST NOT from section 4.2?

Received on Wednesday, 5 November 2003 13:56:20 UTC