- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Tue, 28 Jun 2022 10:07:14 -0700
- To: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
- Cc: HTTP <ietf-http-wg@w3.org>
- Message-Id: <D7142A8A-5B80-46F5-A653-2307EE2DC5D8@gbiv.com>
> On Jun 28, 2022, at 8:20 AM, Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com> wrote: > > Now RFC 9113 is published, we have updated :authority header field description, > basically it says host and :authority cannot disagree. > My question is, is it still valid to omit :authority and use host? > RFC 9113 says "client must use :authority header field", but :authority is not listed in mandatory header fields. > I checked a few major sites, and it looks like www.fastly.com <http://www.fastly.com/> and www..google.com <http://www.google.com/> complain about the missing :authority. www.fastly.com <http://www.fastly.com/> sends back RST_STREAM. www.google.com <http://www.google.com/> returns 400 bad request. > www.google.com <http://www.google.com/> still returns 400 if both :authority and host are present. Those are all https sites. https URIs must have a non-empty host. Other URIs might not have an authority section, and thus Host can be empty. I am not sure in that case whether :authority is empty or omitted, though I would implement both as equivalent for an HTTP server. For example, an HTTP request for urn:ietf:std:97 would have an empty Host field (to satisfy HTTP/1.1 requirements) and no :authority pseudo-header, IIRC. The certificate authority (for connecting with TLS) in that case would be in the URL configured within the user agent as an HTTP proxy for urn:ietf:*, and thus it wouldn't appear within the HTTP message. Cheers, ....Roy
Received on Tuesday, 28 June 2022 17:07:35 UTC