Re: RFC 9113 and :authority header field

On Thu, Jun 30, 2022 at 10:32:35AM -0700, Roy T. Fielding wrote:
> Heh, no worries ... I was wondering how it could possibly work, unless
> you happened to be testing on single-origin default servers. It makes me
> wonder what happens when a hostless request hits a CDN -- I haven't
> even tested that in ages.

IMHO it would mostly depend on how the first hop behaves (e.g. whether
or not it will reconstruct a Host field from the authority).

One nice thing that H2 brought us implementers was the need to reconsider
how we split requests in smaller parts, and to check these parts against
each other. Previously with H1 we could do everything by rewriting a
request line and header fields, but once you have to rebuild those by
assembling some parts from pseudo-headers based on certain conditions,
it forces you to see your requests differently, and certainly to
centralize some checks. For example for a long time I didn't compare
Host and authority since I was passing the request as-is to the next
hop, so it would receive it as sent and was the one having to decide
whether to accept or reject it. Transcoding H2 to/from H1 changes the
rules and forces consistency checks at various places (and wakes up
incompatible implementations in field :-)). But overall it increases
security and helps spotting non-compliant components so that helps
cleaning the net overall.


Received on Thursday, 30 June 2022 18:34:05 UTC