- From: Cory Benfield <cory@lukasa.co.uk>
- Date: Mon, 28 Jul 2025 11:27:30 +0100
- To: Lucas Pardue <lucas@lucaspardue.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Thu, 17 Jul 2025 at 01:53, Lucas Pardue <lucas@lucaspardue.com> wrote: > > Hi folks, > > A colleague asked me a question and I couldn't land on a conclusive answer for them, so wondered what the rest of you might think. > > We're fully aware that H2 and H3 allow situations where there could be an :authority and/or host. The language in RFC 9114 [1] is pretty clear on what to do when one, none, or both are present. > > However, the question is what should happen if an H2 or H3 request contains multiple Host headers. RFC 9112 (HTTP/1.1) says [2] > > > A server MUST respond with a 400 (Bad Request) status code to any HTTP/1.1 request message that lacks a Host header field and to any request message that contains more than one Host header field line or a Host header field with an invalid field value. > > We're H2 and H3 "relaxed" in this sense due to the interchangability of :authority and Host? Even so, it seems weird to me to allow multiple Hosts like this. If there is guthub archaeology on this Inapplgie but a cursory check couldn't land me on anything useful. I don't recall any intentional relaxation of the rules in 7540. I suspect that 7540 was expected to inherit 7230's prohibition on multiple Host headers (ยง 5.4) and that prohibition wasn't made explicit by way of oversight more than anything else. Duplicate Host headers in h2 and h3 are definitely less impactful because they don't participate in routing, but I can see no reason to make them more permissive than H1. > > Cheers > Lucas > > [1] https://datatracker.ietf.org/doc/html/rfc9114#section-4.3.1 > > [2] https://www.rfc-editor.org/rfc/rfc9112.html#section-3.2-6
Received on Monday, 28 July 2025 10:27:46 UTC