- From: Martin Thomson <mt@lowentropy.net>
- Date: Tue, 14 Sep 2021 13:27:08 +1000
- To: ietf-http-wg@w3.org
Having taken some time to look at the discussion here and on GitHub, I think that - chairs willing - there seems to be a lot of support for a change here. I've based this work on Roy's suggestion, but that is not sufficient on its own to be complete and consistent, so there are several changes: 1. clients MUST NOT generate a request where Host and :authority differ --> This was always implied, but was originally left out deliberately to allow for divergence. That's no longer the case. 2. servers MAY treat requests as malformed if Host and :authority are different --> I don't think this needs to be stronger. Servers that do check create enough incentive for clients not to do the wrong thing. It also means that servers that allow for the difference for the same reasons behind the original text won't technically be non-compliant, even if their clients are. 3. Intermediaries MUST overwrite Host with :authority when forwarding to HTTP/1.1 (as Roy suggested) --> I'm a little reluctant to talk about HTTP/1.1 behaviour, but I think that this is warranted in this case. 4. An intermediary that forwards a request over HTTP/2 MAY retain any Host header field. --> This used to say "MUST", but in order to be consistent with the rest of this text I think we can leave this as optional. I'm less sure about this as it leaves unsaid whether Host can be inconsistent in this case (point 1 only talks about generating requests, not forwarding them). The reason to keep this is to permit legacy (RFC 7540) behaviour. We already say to ignore Host if :authority is present, which is the most important protection. Pull request: https://github.com/httpwg/http2-spec/pull/968
Received on Tuesday, 14 September 2021 03:27:41 UTC