- From: Henrik Nordstrom <henrik@henriknordstrom.net>
- Date: Fri, 17 Jul 2009 20:34:55 +0200
- To: Adrien de Croy <adrien@qbik.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
lör 2009-07-18 klockan 00:55 +1200 skrev Adrien de Croy: > The scenario that has me concerned is where there's a request in the > form of an Absolute-URI to a proxy, but the host in the Absolute-URI > doesn't match the host in the Host header. > > When a proxy receives such a request, if it doesn't look for consistency > between these 2 values, it would use the host in the URI, and connect to > that, and send the original untouched Host header (denoting some other > host and/or port than the one connected to). That's a broken proxy. Proxies have to obey the client requirements just as any other client, and sending out requests with a different Host header than the host component of the Requested-URI is plain broken (violating a MUST requirement). When a proxy gets a request with mismatch between Host and Request-URI it has two options: a) Reject the request as malformed with 400 Bad Request b) Drop the received Host header and add back one using the host component from Request-URI, as if the received request was an HTTP/1.0 request without Host. For simplicity I unconditionally do 'b' without even looking at the received Host header. > Do any browsers allow script to alter the host header in requests? Very much doubt so. > Should a proxy be concerned about this possibility? If so, what should > it do? Yes. > a) rewrite the Host header always with the host from the URI regardless. > b) bounce the request with a 400 if they don't match Pick the one you prefer. > or something else? Not that I know of. But then I haven't been verifying Host header correctness ever... > My preference would be b, but does that break any valid uses? It should not. Regards Henrik
Received on Friday, 17 July 2009 18:35:40 UTC