From 2cfe2e9afe374fc2cdd5923b83c522b14666c911 Mon Sep 17 00:00:00 2001
From: Martin Thomson <mt@lowentropy.net>
Date: Tue, 14 Sep 2021 13:21:41 +1000
Subject: [PATCH] Host and :authority must agree

This makes a few changes, restricting things further than before.  For
the most part, this removes an allowance in the original specification
that had Host and :authority potentially differing.  The goal of that
was - from memory - to preserve some of the inherent quirks in HTTP/1.1.
That turns out to be more of a liability than an asset and far less
important now that we have a more formal understanding of the structure
of requests.

Closes #905.
---
 draft-ietf-httpbis-http2bis.xml | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/draft-ietf-httpbis-http2bis.xml b/draft-ietf-httpbis-http2bis.xml
index 963401db..7cbe1c5d 100644
--- a/draft-ietf-httpbis-http2bis.xml
+++ b/draft-ietf-httpbis-http2bis.xml
@@ -2934,16 +2934,29 @@ cookie: e=f
                 pseudo-header field to convey authority information, unless there is no authority
                 information to convey (in which case it MUST NOT generate :authority).
               </t>
+              <t>
+                Clients MUST NOT generate a request with a <tt>Host</tt> header field that differs
+                from the <tt>:authority</tt> pseudo-header field.  A server MAY treat a request as
+                malformed if it contains a <tt>Host</tt> header field that is different from the
+                value of the <tt>:authority</tt> pseudo-header field.
+              </t>
               <t>
                 An intermediary that forwards a request over HTTP/2 MUST construct an
                 <tt>:authority</tt> pseudo-header field using the authority information from the
                 control data of the original request, unless the the original request's target URI
                 does not contain authority information (in which case it MUST NOT generate
-                <tt>:authority</tt>). Note that the Host header field is not the sole source of this
-                information; see <xref target="HTTP" section="7.2"/>.
+                <tt>:authority</tt>). Note that the <tt>Host</tt> header field is not the sole
+                source of this information; see <xref target="HTTP" section="7.2"/>.
+              </t>
+              <t>
+                An intermediary that forwards a request received in HTTP/2 via HTTP/1.1 MUST set the
+                <tt>Host</tt> field in the forwarded request to the value from the
+                <tt>:authority</tt> pseudo-header field, unless it changes the request target. This
+                replaces any existing <tt>Host</tt> field to avoid potential vulnerabilities in HTTP
+                routing.
               </t>
               <t>
-                An intermediary that forwards a request over HTTP/2 MUST retain any <tt>Host</tt>
+                An intermediary that forwards a request over HTTP/2 MAY retain any <tt>Host</tt>
                 header field.
               </t>
               <t>