Re: Host header vs host in absolute-URI from Adrien de Croy on 2009-07-18 (ietf-http-wg@w3.org from July to September 2009)

From: Adrien de Croy <adrien@qbik.com>
Date: Sat, 18 Jul 2009 15:38:16 +1200
To: Henrik Nordstrom <henrik@henriknordstrom.net>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <4A6143A8.9060609@qbik.com>

Henrik Nordstrom wrote:
> lör 2009-07-18 klockan 00:55 +1200 skrev Adrien de Croy:
>
>   
>> The scenario that has me concerned is where there's a request in the 
>> form of an Absolute-URI to a proxy, but the host in the Absolute-URI 
>> doesn't match the host in the Host header.
>>
>> When a proxy receives such a request, if it doesn't look for consistency 
>> between these 2 values, it would use the host in the URI, and connect to 
>> that, and send the original untouched Host header (denoting some other 
>> host and/or port than the one connected to).
>>     
>
> That's a broken proxy. 
I agree it's broken however I can't find this MUST requirement.

or are you referring to p1 messaging s 5.1.2 para 6

"The most common form of request-target is that used to identify a
resource on an origin server or gateway. In this case the absolute
path of the URI MUST be transmitted (see Section 2.1.1, path-
absolute) as the request-target, and the network location of the URI
(authority) MUST be transmitted in a Host header field."

Regards

Adrien

> Proxies have to obey the client requirements just
> as any other client, and sending out requests with a different Host
> header than the host component of the Requested-URI is plain broken
> (violating a MUST requirement).
>
> When a proxy gets a request with mismatch between Host and Request-URI
> it has two options:
>
> a) Reject the request as malformed with 400 Bad Request
>
> b) Drop the received Host header and add back one using the host
> component from Request-URI, as if the received request was an HTTP/1.0
> request without Host.
>
> For simplicity I unconditionally do 'b' without even looking at the
> received Host header.
>
>   
>> Do any browsers allow script to alter the host header in requests?
>>     
>
> Very much doubt so.
>
>   
>> Should a proxy be concerned about this possibility?  If so, what should 
>> it do?
>>     
>
> Yes.
>
>   
>> a) rewrite the Host header always with the host from the URI regardless.
>> b) bounce the request with a 400 if they don't match
>>     
>
> Pick the one you prefer.
>
>   
>> or something else?
>>     
>
> Not that I know of. But then I haven't been verifying Host header
> correctness ever... 
>
>   
>> My preference would be b, but does that break any valid uses?
>>     
>
> It should not.
>
> Regards
> Henrik
>
>
>   

-- 
Adrien de Croy - WinGate Proxy Server - http://www.wingate.com

Received on Saturday, 18 July 2009 03:35:24 UTC