Re: RFC 9113 and :authority header field from Willy Tarreau on 2022-07-04 (ietf-http-wg@w3.org from July to September 2022)

From: Willy Tarreau <w@1wt.eu>
Date: Mon, 4 Jul 2022 08:54:09 +0200
To: Kazuho Oku <kazuhooku@gmail.com>
Cc: Martin Thomson <mt@lowentropy.net>, HTTP Working Group <ietf-http-wg@w3.org>, Ian Swett <ianswett@google.com>
Message-ID: <20220704065409.GA28855@1wt.eu>

Hi Kazuho,

On Mon, Jul 04, 2022 at 10:42:27AM +0900, Kazuho Oku wrote:
> > "An intermediary that forwards a request over HTTP/2 MUST construct an "
> > :authority" pseudo-header field using the authority information from the
> > control data of the original request, unless the original request's target
> > URI does not contain authority information (in which case it MUST NOT
> > generate ":authority")."
> >
> 
> This MUST seems to come from
> https://github.com/httpwg/http2-spec/pull/845/files.
> 
> As of #845, we mandate intermediaries forward origin-form requests (e.g., a
> "GET / HTTP/1.1" + Host) using an `:authority` request header field.
> 
> Maybe these changes have been unintentional.

No, reread carefully what it says, it's the opposite, so there's no problem:

  - If the control data in the original request contains
    authority information, an intermediary MUST include a <tt>:authority</tt>
    pseudo-header field.

  - If control data does not contain authority, an intermediary
    MUST NOT add an <tt>:authority</tt> pseudo-header field.

  For reference, an HTTP/1.1 <xref target="HTTP11" section="3.2">request
  target</xref> in authority-form always includes authority, a request
  target in absolute-form includes authority if the target URI includes
  authority, and request targets in origin- or asterisk-form do not
  include authority.

I.e. "GET / HTTP/1.1 + Host" must NOT create a ":authority", so that's fine.

> Regarding H2O, we did not intend to enforce the use of `:authority` pseudo
> header field, so I have no problem in reverting the behavior.

Then it's already fine and you don't need to change it :-)

> But
> nevertheless, I think it's worth discussing the state of the specification.

It's important to preserve the original information when you chain several
layers of gateways in different versions, and the current state of the spec
allows to do that as unambiguously as possible, by clearly distinguishing
the Host header field and :authority (the one being part of the request
line).

Cheers,
Willy

Received on Monday, 4 July 2022 06:54:27 UTC