Re: RFC 9113 and :authority header field

> On Jun 28, 2022, at 8:20 AM, Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com> wrote:
> 
> Now RFC 9113 is published, we have updated :authority header field description,
> basically it says host and :authority cannot disagree.
> My question is, is it still valid to omit :authority and use host?
> RFC 9113 says "client must use :authority header field", but :authority is not listed in mandatory header fields.
> I checked a few major sites, and it looks like www.fastly.com <http://www.fastly.com/> and www..google.com <http://www.google.com/> complain about the missing :authority.  www.fastly.com <http://www.fastly.com/> sends back RST_STREAM.  www.google.com <http://www.google.com/> returns 400 bad request.
> www.google.com <http://www.google.com/> still returns 400 if both :authority and host are present.

Those are all https sites. https URIs must have a non-empty host. Other URIs might
not have an authority section, and thus Host can be empty. I am not sure in that
case whether :authority is empty or omitted, though I would implement both as
equivalent for an HTTP server.

For example, an HTTP request for urn:ietf:std:97 would have an empty Host field
(to satisfy HTTP/1.1 requirements) and no :authority pseudo-header, IIRC.  The
certificate authority (for connecting with TLS) in that case would be in the URL
configured within the user agent as an HTTP proxy for urn:ietf:*, and thus it
wouldn't appear within the HTTP message.

Cheers,

....Roy

Received on Tuesday, 28 June 2022 17:07:35 UTC