Re: Benjamin Kaduk's Discuss on draft-ietf-httpbis-messaging-16: (with DISCUSS and COMMENT) from Mark Nottingham on 2021-07-07 (ietf-http-wg@w3.org from July to September 2021)

From: Mark Nottingham <mnot@mnot.net>
Date: Wed, 7 Jul 2021 16:48:01 +1000
To: HTTP Working Group <ietf-http-wg@w3.org>
Cc: The IESG <iesg@ietf.org>, Benjamin Kaduk <kaduk@mit.edu>
Message-Id: <609907B5-BC23-4474-9B37-26D9BBBFC035@mnot.net>

Unless I missed it, we didn't create an issue to track this, so:
  https://github.com/httpwg/http-core/issues/896
... and created a PR to implement the solution outlined below.

Could folks please take a look and leave feedback (there or here)?

Cheers,



> On 7 Jul 2021, at 10:45 am, Benjamin Kaduk <kaduk@mit.edu> wrote:
>> 
>> Aha - I see what's happened. In 3.3 of 1.1 <https://httpwg.org/http-core/draft-ietf-httpbis-messaging-latest.html#reconstructing.target.uri> I was skimming by the initial text:
>> 
>>> The target URI is the request-target when the request-target is in absolute-form.
>> 
>> ... whereas you obviously picked up on it. I agree that there's an issue here.
> 
> Yes, exactly, that's what stuck out at me.  Sorry for not quoting it more
> explicitly from the start.
> 
>> The decisions about absolute-form requests were made *way* back when. My reading of the archive (circa September and October 1995 -- I'm sure those that were there will correct me) is that Host headers were added to address the multiple-hosts-on-an-IP problem in a way that was backwards-compatible with HTTP/1.0, but because some folks wanted to enable the use of URNs, proxies were required to support and use the absolute form, so that URNs could be (theoretically) resolvable through them. That didn't happen, but it is possible to use e.g., FTP through a HTTP proxy as a result (last I looked).
>> 
>> I think the solution here is to restrict the statement above so that it only applies to proxies, and to add a requirement for origin servers (including gateways) to specifically check absolute-form URIs for alignment regarding the scheme.
>> 
>> Does that make sense to everyone (especially Roy, who has the most history here)?
> 
> That makes perfect sense to me, but I expect that we should make strenuous
> efforts to hear from others who have more knowledge of the history before
> proceeding with it.


--
Mark Nottingham   https://www.mnot.net/

Received on Wednesday, 7 July 2021 06:49:33 UTC