- From: Willy Tarreau <w@1wt.eu>
- Date: Wed, 13 Dec 2023 15:54:28 +0100
- To: Mark Thomas <markt@apache.org>
- Cc: ietf-http-wg@w3.org
Hi Mark, On Wed, Dec 13, 2023 at 09:31:01AM +0000, Mark Thomas wrote: > On 12/12/2023 16:59, Julian Reschke wrote: > > On 12.12.2023 15:12, Mark Thomas wrote: > > > Hi all, > > > > > > A (hopefully) quick question. > > > > > > In RFC 9112, section it states that: > > > > > > "If the target URI includes an authority component, then a client MUST > > > send a field value for Host that is identical to that authority > > > component..." > > > > > > Given that host is case insensitive, is the intention that "identical" > > > in the text above means "identical, ignoring differences in case"? > > > > > > I can't think of any reason why this particular check needs to be case > > > sensitive but wanted to check in case I was missing something. > > > ... > > > > The text seems to lack clarity here. > > > > Are you concerned about client requirements, or do you want to add > > strict checks to a server? > > Tomcat currently checks this in a case sensitive manner. A user has reported > that this is causing issues for a client. Before I relax the check to be > case insensitive I wanted to check I wasn't missing anything. I have already observed case inconsistencies in the past on this as well (I don't remember where though). In haproxy we perform a case insensitive comparison. > If relaxing was OK, a follow-up question was going to be should I file an > erratum or follow some other process to clarify this requirement. Actually I think this part should remain like this because we still want to make sure clients act as cleanly as possible. Maybe it's rather where it's mentioned that the server must check for a match that we'd need to mention that case insensitive might be needed. Please note that I'm suggesting this without being currently checking in the spec itself. Just my two cents, Willy
Received on Wednesday, 13 December 2023 14:54:41 UTC