From 2cfe2e9afe374fc2cdd5923b83c522b14666c911 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Tue, 14 Sep 2021 13:21:41 +1000 Subject: [PATCH 1/7] Host and :authority must agree This makes a few changes, restricting things further than before. For the most part, this removes an allowance in the original specification that had Host and :authority potentially differing. The goal of that was - from memory - to preserve some of the inherent quirks in HTTP/1.1. That turns out to be more of a liability than an asset and far less important now that we have a more formal understanding of the structure of requests. Closes #905. --- draft-ietf-httpbis-http2bis.xml | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/draft-ietf-httpbis-http2bis.xml b/draft-ietf-httpbis-http2bis.xml index 963401db..7cbe1c5d 100644 --- a/draft-ietf-httpbis-http2bis.xml +++ b/draft-ietf-httpbis-http2bis.xml @@ -2934,16 +2934,29 @@ cookie: e=f pseudo-header field to convey authority information, unless there is no authority information to convey (in which case it MUST NOT generate :authority). + + Clients MUST NOT generate a request with a Host header field that differs + from the :authority pseudo-header field. A server MAY treat a request as + malformed if it contains a Host header field that is different from the + value of the :authority pseudo-header field. + An intermediary that forwards a request over HTTP/2 MUST construct an :authority pseudo-header field using the authority information from the control data of the original request, unless the the original request's target URI does not contain authority information (in which case it MUST NOT generate - :authority). Note that the Host header field is not the sole source of this - information; see . + :authority). Note that the Host header field is not the sole + source of this information; see . + + + An intermediary that forwards a request received in HTTP/2 via HTTP/1.1 MUST set the + Host field in the forwarded request to the value from the + :authority pseudo-header field, unless it changes the request target. This + replaces any existing Host field to avoid potential vulnerabilities in HTTP + routing. - An intermediary that forwards a request over HTTP/2 MUST retain any Host + An intermediary that forwards a request over HTTP/2 MAY retain any Host header field. From bad442deeeb8c81a1e41004f458bc6435558a27a Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Tue, 14 Sep 2021 15:24:56 +1000 Subject: [PATCH 2/7] Fix potentially ambiguous 'it' --- draft-ietf-httpbis-http2bis.xml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/draft-ietf-httpbis-http2bis.xml b/draft-ietf-httpbis-http2bis.xml index 7cbe1c5d..1ae3db17 100644 --- a/draft-ietf-httpbis-http2bis.xml +++ b/draft-ietf-httpbis-http2bis.xml @@ -2951,9 +2951,9 @@ cookie: e=f An intermediary that forwards a request received in HTTP/2 via HTTP/1.1 MUST set the Host field in the forwarded request to the value from the - :authority pseudo-header field, unless it changes the request target. This - replaces any existing Host field to avoid potential vulnerabilities in HTTP - routing. + :authority pseudo-header field, unless the intermediary also changes the + request target. This replaces any existing Host field to avoid potential + vulnerabilities in HTTP routing. An intermediary that forwards a request over HTTP/2 MAY retain any Host @@ -5185,6 +5185,9 @@ cookie: e=f Connection-specific header fields - which are prohibited - are more precisely and comprehensively identified. +
  • + Host and :authority are no longer permitted to disagree. +
    • From b4eec0357047ade03c33a518a9ef4499ddccc424 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Tue, 14 Sep 2021 17:35:20 +1000 Subject: [PATCH 3/7] normalization; yuck --- draft-ietf-httpbis-http2bis.xml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/draft-ietf-httpbis-http2bis.xml b/draft-ietf-httpbis-http2bis.xml index 1ae3db17..9dcf4f74 100644 --- a/draft-ietf-httpbis-http2bis.xml +++ b/draft-ietf-httpbis-http2bis.xml @@ -2936,9 +2936,13 @@ cookie: e=f Clients MUST NOT generate a request with a Host header field that differs - from the :authority pseudo-header field. A server MAY treat a request as - malformed if it contains a Host header field that is different from the - value of the :authority pseudo-header field. + from the :authority pseudo-header field, when compared byte-for-byte. A + server SHOULD treat a request as malformed if it contains a Host header + field that identifies a different entity to the :authority pseudo-header + field. The values of fields need to be normalized to compare them (see ). An origin server can apply any normalization + method, whereas other servers MUST perform scheme-based normalization (see ) of the two fields. An intermediary that forwards a request over HTTP/2 MUST construct an From 64447589a5a9e1e8c140a0b1397bad4a0117c4e4 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Tue, 14 Sep 2021 17:35:36 +1000 Subject: [PATCH 4/7] Willy's edit to avoid a direct HTTP/1.1 dependency --- draft-ietf-httpbis-http2bis.xml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/draft-ietf-httpbis-http2bis.xml b/draft-ietf-httpbis-http2bis.xml index 9dcf4f74..ee9a93e2 100644 --- a/draft-ietf-httpbis-http2bis.xml +++ b/draft-ietf-httpbis-http2bis.xml @@ -2953,11 +2953,11 @@ cookie: e=f source of this information; see . - An intermediary that forwards a request received in HTTP/2 via HTTP/1.1 MUST set the - Host field in the forwarded request to the value from the - :authority pseudo-header field, unless the intermediary also changes the - request target. This replaces any existing Host field to avoid potential - vulnerabilities in HTTP routing. + An intermediary that needs to produce a Host header field (which might be + necessary to construct an HTTP/1.1 request) MUST set the Host field in the + forwarded request to the value from the :authority pseudo-header field, + unless the intermediary also changes the request target. This replaces any existing + Host field to avoid potential vulnerabilities in HTTP routing. An intermediary that forwards a request over HTTP/2 MAY retain any Host From 577a84a6a9ccabb4b1ae3e67b6ead911a10c0226 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Fri, 17 Sep 2021 09:25:23 +1000 Subject: [PATCH 5/7] Much appreciated Greg Co-authored-by: Greg Wilkins --- draft-ietf-httpbis-http2bis.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-httpbis-http2bis.xml b/draft-ietf-httpbis-http2bis.xml index ee9a93e2..f4402e41 100644 --- a/draft-ietf-httpbis-http2bis.xml +++ b/draft-ietf-httpbis-http2bis.xml @@ -2954,8 +2954,8 @@ cookie: e=f An intermediary that needs to produce a Host header field (which might be - necessary to construct an HTTP/1.1 request) MUST set the Host field in the - forwarded request to the value from the :authority pseudo-header field, + necessary to construct an HTTP/1.1 request) MUST use the value from the :authority + pseudo-header field as the value of the Host field, unless the intermediary also changes the request target. This replaces any existing Host field to avoid potential vulnerabilities in HTTP routing. From af9a40279c465e0b6d7994710affe94ef5228109 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Fri, 17 Sep 2021 09:29:55 +1000 Subject: [PATCH 6/7] no need for this extra stipulation --- draft-ietf-httpbis-http2bis.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-httpbis-http2bis.xml b/draft-ietf-httpbis-http2bis.xml index f4402e41..ef8e6950 100644 --- a/draft-ietf-httpbis-http2bis.xml +++ b/draft-ietf-httpbis-http2bis.xml @@ -2936,7 +2936,7 @@ cookie: e=f Clients MUST NOT generate a request with a Host header field that differs - from the :authority pseudo-header field, when compared byte-for-byte. A + from the :authority pseudo-header field. A server SHOULD treat a request as malformed if it contains a Host header field that identifies a different entity to the :authority pseudo-header field. The values of fields need to be normalized to compare them (see Date: Fri, 24 Sep 2021 12:19:42 +1000 Subject: [PATCH 7/7] generate Co-authored-by: Mark Nottingham --- draft-ietf-httpbis-http2bis.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-httpbis-http2bis.xml b/draft-ietf-httpbis-http2bis.xml index ef8e6950..54ba9c9e 100644 --- a/draft-ietf-httpbis-http2bis.xml +++ b/draft-ietf-httpbis-http2bis.xml @@ -2953,7 +2953,7 @@ cookie: e=f source of this information; see . - An intermediary that needs to produce a Host header field (which might be + An intermediary that needs to generate a Host header field (which might be necessary to construct an HTTP/1.1 request) MUST use the value from the :authority pseudo-header field as the value of the Host field, unless the intermediary also changes the request target. This replaces any existing