Re: RFC 9113 and :authority header field

On Wed, Jun 29, 2022 at 2:07 AM Roy T. Fielding <fielding@gbiv.com> wrote:

> On Jun 28, 2022, at 8:20 AM, Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
> wrote:
>
> Now RFC 9113 is published, we have updated :authority header field
> description,
> basically it says host and :authority cannot disagree.
> My question is, is it still valid to omit :authority and use host?
> RFC 9113 says "client must use :authority header field", but :authority is
> not listed in mandatory header fields.
> I checked a few major sites, and it looks like www.fastly.com and
> www..google.com <http://www.google.com/> complain about the missing
> :authority.  www.fastly.com sends back RST_STREAM.  www.google.com
> returns 400 bad request.
> www.google.com still returns 400 if both :authority and host are present.
>
>
> Those are all https sites. https URIs must have a non-empty host. Other
> URIs might
> not have an authority section, and thus Host can be empty. I am not sure
> in that
> case whether :authority is empty or omitted, though I would implement both
> as
> equivalent for an HTTP server.
>
> For example, an HTTP request for urn:ietf:std:97 would have an empty Host
> field
> (to satisfy HTTP/1.1 requirements) and no :authority pseudo-header, IIRC.
> The
> certificate authority (for connecting with TLS) in that case would be in
> the URL
> configured within the user agent as an HTTP proxy for urn:ietf:*, and thus
> it
> wouldn't appear within the HTTP message.
>
>
Thank you for pointing out that there are URIs that do not bear any host
part.
That is why RFC does not mandate :authority header field.

My question is specifically against HTTPS URI.  In RFC 7540, the following
2 requests are mostly equivalent:

1)
:method: GET
:scheme: https
:path: /
:authority: example.com

2)
:method: GET
:scheme: https
:path: /
host: example.com

RFC 7540 even says that :intermediary MUST omit :authority "when translating
from an HTTP/1.1 request that has a request target in
origin or asterisk form (see [RFC7230], Section 5.3)."

Now RFC 9113 has this text:

      An intermediary that forwards a request over HTTP/2 MUST construct
      an ":authority" pseudo-header field using the authority
      information from the control data of the original request, unless
      the original request's target URI does not contain authority
      information (in which case it MUST NOT generate ":authority").
      Note that the Host header field is not the sole source of this
      information; see Section 7.2 of [HTTP].

This means :authority must be included if the host header field exists in
an HTTP/1.1 request.

I think 2) is valid in terms of RFC 7540, but it suddenly becomes invalid
in terms of RFC 9113?
Is this correct?  https://www.fastly.com and https://www.google.com now
reject 2).

Best,

Tatsuhiro Tsujikawa




> Cheers,
>
> ....Roy
>
>

Received on Tuesday, 28 June 2022 23:59:13 UTC