Remaining corner cases between Host and :authority #905
Comments
|
I think #768 is related. |
|
In hindsight, it is easy to see that we need an "HTTP info set", e.g. the pure semantics, and from that derive protocol version serializations. As things went, implementations are now seeking ways to make their own internal representation of semantics. As @wtarreau describes for haproxy. The same is happening in httpd, where one carefully tries to disect the cases that apply in general from the ones specific to a version. This is tricky for backward compatible releases. The worst, to me, seem to be rules in standards to specify "from another http version". That seems to imply an "older, existing" version. Will it apply to a future http version? Who knows? But this question needs an answer soon, as implementations will need to cope with QUIC traffic incoming and forwarding it to another H2 server. I believe implementations will need to
Standard revisions could help here with clarifying the "from other httpd versions" to either apply in general to http semantics or specifically to a range of HTTP versions. It's probably not easy. |
|
Willy, we need to be careful here -- this is a pretty broad issue, touching many points and a fair amount of history. We can't reopen HTTP-core right now, so we're constrained in how well we can integrate things here. Looking at what you bring up, I think we can make some editorial improvements here; I've suggested some in #961. There's a very fine line to walk here between respecting the abstraction that semantics provides and making it useful to implementers. The other thing that might be worth discussing is this requirement:
My recollection is that this was advocated as helping in the reconstruction of the request-line, for purposes like bot detection, debugging, etc.; it gives fidelity to what can be put on the wire in HTTP/1 (although whether that's a good goal is another discussion -- as I've complained elsewhere, h1, Host and authority are not necessarily... sane). In retrospect, that MUST could be too strong; given that h2 is effectively always-encrypted, most intermediaries who participate in the protocol do so on behalf of the origin server, so they can coordinate if this information is necessary (as is wide practice for other bits like this, in various ad hoc headers). Also, it creates a (fallacious) expectation in servers that they can rely on Host being there. For those reasons, I'd (personally) be open to considering dropping this MUST down to a MAY... but if we saw pushback (even mildly so), I'd be concerned enough to back down; I don't think it's important enough to spend too much time on. Regardless of how that ended up, we might add a few words to explain why there's a requirement here. Thoughts? |
|
I understand your points. But right now my point is that this maintains a real security issue. Routing has been made on Host for 2 decades now. It's hard-coded everywhere in applications and components. In HTTP/1 it was usual to make sure that Host and authority would exactly match or reject the request (and it's in HTTP/1.1 messaging#3.2). There's no such rule in H2, resulting in two possibly different authorities being present and used differently along the chain. I would be fine keeping it as-is if we enforce the same rule as in H1, which is that if both are present, they MUST match according to RFC3986's rules on scheme-based normalization. But being allowed to have diverging Host and :authority in H2 is a serious concern to me. |
|
BTW your update in 961 looks way better to me (aside the point being discussed above of course). |
This makes a few changes, restricting things further than before. For the most part, this removes an allowance in the original specification that had Host and :authority potentially differing. The goal of that was - from memory - to preserve some of the inherent quirks in HTTP/1.1. That turns out to be more of a liability than an asset and far less important now that we have a more formal understanding of the structure of requests. Closes httpwg#905.
Adding here the link to my yesterdays report to help with tracking:
https://lists.w3.org/Archives/Public/ietf-http-wg/2021JulSep/0237.html
I can also paste the contents and/or open one or more issues if needed, though I don't think it is needed for now.
The text was updated successfully, but these errors were encountered: