Re: Host and :authority (was Re: Working Group Last Call: HTTP/2 revision)

On Tue, 7 Sept 2021 at 02:50, Willy Tarreau <w@1wt.eu> wrote:

> On Mon, Sep 06, 2021 at 03:20:54PM +1000, Martin Thomson wrote:
> > I've seen a few amendments suggested in this thread (and others):
> >
> > a. We might make :authority mandatory in more cases.
> > b. We might prohibit inclusion of both values.
> > c. We might prohibit different values if the fields are both present.
> > d. We might avoid levying requirements on intermediaries that forward
> requests.
> >
> > We are limited in what we can do here because we can't require anything
> that
> > might result in an unmodified RFC 7540 implementation producing fatal
> errors.
> > For instance, we might insist that clients not include both fields, but
> we
> > can't require servers to enforce that.  That limits the value of any
> change.
>
> I think that the least impacting one would be C.
>

+1


>
> Maybe the very least we could do is to add:
>
>    An implementation which detects that Host and :authority do not match
>    MAY reject the request as malformed.
>
> We don't take risks and I'm sure most of us will instantly enforce this.
> I'd personally prefer a SHOULD or even a MUST


I'd also be OK with a MUST here.

For my own code base, the code that will be determining if a Host header
should be passed onto the next layer up has no idea if it is going to be
proxied or not.  So even if passing on a mismatched Host header was OK for
a proxy, I'd have trouble enforcing that and no matter what it would end up
as some extra expense for the 99.999% of requests that are not like that.

If we have a "MUST be the same", then it is simple for an impl to check if
Host header is the same as the :authority (which must have already been
parsed) and the treat as malformed if different.  If it is the same, then
it is safe to pass on to the next layer regardless of how it is going to be
used.

-- 
Greg Wilkins <gregw@webtide.com> CTO http://webtide.com