- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Tue, 16 Jun 2009 18:17:07 -0700
- To: Adrien de Croy <adrien@qbik.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Jun 16, 2009, at 5:28 PM, Adrien de Croy wrote: > Roy T. Fielding wrote: >> On Jun 16, 2009, at 3:26 PM, Adrien de Croy wrote: >> >>> I recently updated our proxy to reject all HTTP/1.1 messages from >>> clients that lack a Host header. >>> >>> This has been found to break a number of clients which use the >>> CONNECT method. >> >> What clients? > I only have a couple of reports since this wasn't in general > release - a mail.ru client and FTP commander using CONNECT. Then break them. They are sending invalid requests, most likely because they are trying to trigger a security hole. > However, on further reading of RFC2616, it appears David Morris is > correct, that a Host header is only a MUST requirement if the > Request-URI is not an AbsoluteURI, and MUST be ignored if it is. > This doesn't cover the case where Request-URI is authority (as per > CONNECT)... so a strict interpretation is that CONNECT requires > host, although I imagine this wasn't the intent, since authority > contains the required information. No, the intention was that Host is required on all HTTP/1.1 requests for policy reasons (ensuring deployment of Host was a high priority). Its value might be empty because not all URIs have host portions. Apache will always respond 400 if HTTP/1.1 and no Host header field. It will also respond 400 if HTTP >= 1.1 and the hostname target cannot be obtained via either the request-uri or the Host field. A "CONNECT host:port HTTP/1.1" request without a Host field will fail the first test even if it passes the second. ....Roy
Received on Wednesday, 17 June 2009 01:17:40 UTC