Host and :authority must agree

This makes a few changes, restricting things further than before. For the most part, this removes an allowance in the original specification that had Host and :authority potentially differing. The goal of that was - from memory - to preserve some of the inherent quirks in HTTP/1.1. That turns out to be more of a liability than an asset and far less important now that we have a more formal understanding of the structure of requests. Closes httpwg#905.
martinthomson · Sep 14, 2021 · 2cfe2e9 · 2cfe2e9
1 parent 5741b83
commit 2cfe2e9
Showing 1 changed file with 16 additions and 3 deletions.
diff --git a/draft-ietf-httpbis-http2bis.xml b/draft-ietf-httpbis-http2bis.xml
@@ -2934,16 +2934,29 @@ cookie: e=f
                 pseudo-header field to convey authority information, unless there is no authority
                 information to convey (in which case it MUST NOT generate :authority).
               </t>
+              <t>
+                Clients MUST NOT generate a request with a <tt>Host</tt> header field that differs
+                from the <tt>:authority</tt> pseudo-header field.  A server MAY treat a request as
+                malformed if it contains a <tt>Host</tt> header field that is different from the
+                value of the <tt>:authority</tt> pseudo-header field.
+              </t>
               <t>
                 An intermediary that forwards a request over HTTP/2 MUST construct an
                 <tt>:authority</tt> pseudo-header field using the authority information from the
                 control data of the original request, unless the the original request's target URI
                 does not contain authority information (in which case it MUST NOT generate
-                <tt>:authority</tt>). Note that the Host header field is not the sole source of this
-                information; see <xref target="HTTP" section="7.2"/>.
+                <tt>:authority</tt>). Note that the <tt>Host</tt> header field is not the sole
+                source of this information; see <xref target="HTTP" section="7.2"/>.
+              </t>
+              <t>
+                An intermediary that forwards a request received in HTTP/2 via HTTP/1.1 MUST set the
+                <tt>Host</tt> field in the forwarded request to the value from the
+                <tt>:authority</tt> pseudo-header field, unless it changes the request target. This
+                replaces any existing <tt>Host</tt> field to avoid potential vulnerabilities in HTTP
+                routing.
               </t>
               <t>
-                An intermediary that forwards a request over HTTP/2 MUST retain any <tt>Host</tt>
+                An intermediary that forwards a request over HTTP/2 MAY retain any <tt>Host</tt>
                 header field.
               </t>
               <t>