Re: Handling multiple Host header fields in HTTP/2 and HTTP/3 from Lucas Pardue on 2025-07-17 (ietf-http-wg@w3.org from July to September 2025)

From: Lucas Pardue <lucaspardue.24.7@gmail.com>
Date: Thu, 17 Jul 2025 11:18:54 +0100
To: Willy Tarreau <w@1wt.eu>
Cc: Lucas Pardue <lucas@lucaspardue.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CALGR9oYjzk8=1hwBpDc9mg5ZTVHynME-hVWhqgKXcoRjQBceAg@mail.gmail.com>

Hey Willy,

On Thu, 17 Jul 2025, 10:33 Willy Tarreau, <w@1wt.eu> wrote:

> Hi Lucas,
>
> On Thu, Jul 17, 2025 at 01:51:22AM +0100, Lucas Pardue wrote:
> > Hi folks,
> >
> > A colleague asked me a question and I couldn't land on a conclusive
> answer
> > for them, so wondered what the rest of you might think.
> >
> > We're fully aware that H2 and H3 allow situations where there could be an
> > :authority and/or host. The language in RFC 9114 [1] is pretty clear on
> what
> > to do when one, none, or both are present.
> >
> > However, the question is what should happen if an H2 or H3 request
> contains
> > multiple Host headers. RFC 9112 (HTTP/1.1) says [2]
> >
> > > A server MUST respond with a 400 (Bad Request) status code to any
> HTTP/1.1
> > > request message that lacks a Host header field and to any request
> message
> > > that contains more than one Host header field line or a Host header
> field
> > > with an invalid field value.
> >
> > We're H2 and H3 "relaxed" in this sense due to the interchangability of
> > :authority and Host? Even so, it seems weird to me to allow multiple
> Hosts
> > like this. If there is guthub archaeology on this Inapplgie but a cursory
> > check couldn't land me on anything useful.
>
> I don't remember about particular earlier discussions on that topic, but
> in haproxy we're deduplicating Host, i.e. we reject requests where Host
> differs from authority or from any possibly previous host, and only keep
> one host if there was no authority. The point is (and I suspect that your
> colleage faced this situation), from time to time we've met requests with
> a duplicate host field for whatever bad reason, so if they're the same we
> still accept them but just keep one.
>

Yes you read my mind a bit, there is deduplication after validation. I just
can't seem to square the circle on whether to enforce the multiple Host
check unilaterally across versions or not. Any time there is a mismatch
like this is a risk a customer gets confused why something that worked one
way with HTTP/1.1 suddenly didn't work the same if they change version.

Cheers
Lucas

>
> Hoping this helps,
> Willy
>
>

Received on Thursday, 17 July 2025 10:19:10 UTC