Re: NEW ISSUE: empty Host header


>From section 14.23

"the Host field value MUST represent the naming authority of the origin
server or gateway given by the original URL."


"If the requested URI does not include an Internet host name for the service
being requested, then the Host header field MUST be given with an empty

I would say that it is already forbidden since I cannot see how the
zero-length host name identifies the naming authority (maybe this situation
should be explicitly stated).

Besides, I feel the second requirement conflicts with the step 2 of section
5.2 :

"2. If the Request-URI is not an absoluteURI, and the request includes
     a Host header field, the host is determined by the Host header
     field value."

Because "the requested URI" may be understood as the Request-URI... which
does not includes an Internet host name if it is not an absoluteURI (though
the user-agent possibly knows the absoluteURI).IMHO it should be replaced by
something like "if the user-agent does not know the requested URI then the
Host header field MUST be given with an empty value" or "if the user-agent
is not willing to include an Internet host name, then the Host header field
MAY be given with an empty value"



----- Original Message ----- 
From: "Julian Reschke" <>
To: "Roy T. Fielding" <>
Cc: "Bjoern Hoehrmann" <>; <>
Sent: Thursday, November 22, 2007 7:23 AM
Subject: Re: NEW ISSUE: empty Host header

> Roy T. Fielding wrote:
>> Host is full of baggage imposed by folks who never implemented
>> HTTP and had no way of knowing that mandating Host on all messages
>> was a complete waste of time (it had already been implemented on
>> all browsers).
>> We don't need to change the mandate, but we can improve the
>> description so that it explains all of the types of possible
>> HTTP requests and note the fact that not all URIs have a host
>> portion.  The empty Host is for that reason.  I thought that
>> this was already on the issues list, but I guess not.
>> Note that host in RFC3986 is already defined to allow empty
>> (because reg-name can be empty).
> Interesting.
> So... assuming we replaced RFC2396's host with RCF3986's host, the
> following would become legal:
>   Host: :81
> Bug or feature?
> BR, Julian

Received on Thursday, 22 November 2007 12:27:38 UTC