- From: Willy Tarreau <w@1wt.eu>
- Date: Thu, 30 Jun 2022 20:33:48 +0200
- To: "Roy T. Fielding" <fielding@gbiv.com>
- Cc: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>, HTTP <ietf-http-wg@w3.org>
On Thu, Jun 30, 2022 at 10:32:35AM -0700, Roy T. Fielding wrote: > Heh, no worries ... I was wondering how it could possibly work, unless > you happened to be testing on single-origin default servers. It makes me > wonder what happens when a hostless request hits a CDN -- I haven't > even tested that in ages. IMHO it would mostly depend on how the first hop behaves (e.g. whether or not it will reconstruct a Host field from the authority). One nice thing that H2 brought us implementers was the need to reconsider how we split requests in smaller parts, and to check these parts against each other. Previously with H1 we could do everything by rewriting a request line and header fields, but once you have to rebuild those by assembling some parts from pseudo-headers based on certain conditions, it forces you to see your requests differently, and certainly to centralize some checks. For example for a long time I didn't compare Host and authority since I was passing the request as-is to the next hop, so it would receive it as sent and was the one having to decide whether to accept or reject it. Transcoding H2 to/from H1 changes the rules and forces consistency checks at various places (and wakes up incompatible implementations in field :-)). But overall it increases security and helps spotting non-compliant components so that helps cleaning the net overall. Cheers, Willy
Received on Thursday, 30 June 2022 18:34:05 UTC