- From: Willy Tarreau <w@1wt.eu>
- Date: Thu, 17 Jul 2025 11:29:29 +0200
- To: Lucas Pardue <lucas@lucaspardue.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
Hi Lucas, On Thu, Jul 17, 2025 at 01:51:22AM +0100, Lucas Pardue wrote: > Hi folks, > > A colleague asked me a question and I couldn't land on a conclusive answer > for them, so wondered what the rest of you might think. > > We're fully aware that H2 and H3 allow situations where there could be an > :authority and/or host. The language in RFC 9114 [1] is pretty clear on what > to do when one, none, or both are present. > > However, the question is what should happen if an H2 or H3 request contains > multiple Host headers. RFC 9112 (HTTP/1.1) says [2] > > > A server MUST respond with a 400 (Bad Request) status code to any HTTP/1.1 > > request message that lacks a Host header field and to any request message > > that contains more than one Host header field line or a Host header field > > with an invalid field value. > > We're H2 and H3 "relaxed" in this sense due to the interchangability of > :authority and Host? Even so, it seems weird to me to allow multiple Hosts > like this. If there is guthub archaeology on this Inapplgie but a cursory > check couldn't land me on anything useful. I don't remember about particular earlier discussions on that topic, but in haproxy we're deduplicating Host, i.e. we reject requests where Host differs from authority or from any possibly previous host, and only keep one host if there was no authority. The point is (and I suspect that your colleage faced this situation), from time to time we've met requests with a duplicate host field for whatever bad reason, so if they're the same we still accept them but just keep one. Hoping this helps, Willy
Received on Thursday, 17 July 2025 09:29:38 UTC