Re: HTTP/2 examples SHOULD use :authority

Martin Thomson <> Thu, 01 December 2016 23:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6AC201299DA for <>; Thu, 1 Dec 2016 15:14:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.897
X-Spam-Status: No, score=-9.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-2.896, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pCge8ZTMJ-FA for <>; Thu, 1 Dec 2016 15:14:23 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C83F21299C1 for <>; Thu, 1 Dec 2016 15:13:09 -0800 (PST)
Received: from lists by with local (Exim 4.80) (envelope-from <>) id 1cCaTu-0002EQ-Go for; Thu, 01 Dec 2016 23:09:34 +0000
Resent-Date: Thu, 01 Dec 2016 23:09:34 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <>) id 1cCaTj-0002BW-Gf for; Thu, 01 Dec 2016 23:09:23 +0000
Received: from ([]) by with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <>) id 1cCaTd-0002h8-2t for; Thu, 01 Dec 2016 23:09:18 +0000
Received: by with SMTP id q130so74471931qke.1 for <>; Thu, 01 Dec 2016 15:08:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=T7x5Y9kkudYBtFZtNUh4BGPkqLv5sBlabo85MOChTDs=; b=tNnlAxtJ5egPqH40LrOnBU9MslXfTA0ivLniCrdq2xr9YcHiHcC4Nhd7eWAy9QMrDA EllxJWRMVRru4hgzZzUxb2dFZ/UAu+eUb/h/aqp9DDEUunlazKToiAJ2ZTbHIQEpZYZn fClapjT80/AU2ABPiiq48qrAxyshS13S1rGJ/KxlhwRGbqZ3Y9249mHjQpDqIG5Iay+h KKD5xjziTi5TLA9qgCaQuzEXH7YB9WCELweM3Ag1XTZ4yWOovONZLGZ17spbvcVTQvLG TFzluxJClx5ZW52m1VO0r2LOpjFowziyeV1SJ4wnetnOP85TNv5MLzFzWUBOVcDBX7YH hk9w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=T7x5Y9kkudYBtFZtNUh4BGPkqLv5sBlabo85MOChTDs=; b=P0yOSvQDRLHs65oAe6glqeJStsiQtsxVsAQ2zIeYwW52qG67+OCswyEFdInIbBQKeM RwAHKiZa5nE3VV5E/L2pNOJvLL8bqdgt0/DeH6T9a0kKqneQWdJe9mspnNTsKUACPusf jK/LzghA27r2qITH8UWOoZNST+o/FWo5Yn9/Uy3+x0usRSv1DaDJwPA06gx7LhtB2DvJ Eawz70OW82hOBFmIHQt7cZIYV/qS+xQJFVO6L4q4Ln1/dQiO58uXU1btLYl6iiHDyta5 OQyvrmnlSG/R3SK2frya/43S2C3j8kyO2cvicelg3SXyav0i9P7Ldl/6f3Cfmug/a2yl 7s4A==
X-Gm-Message-State: AKaTC03Qqjw1vRrv5dNmeKPT1R4uT7BlMVg5VXQtDznQS4wJ0RvwyYaLzOOQQVXBag6/BdqARlftlVvrb1Z96g==
X-Received: by with SMTP id x135mr34302961qkb.147.1480633730521; Thu, 01 Dec 2016 15:08:50 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Thu, 1 Dec 2016 15:08:50 -0800 (PST)
In-Reply-To: <>
References: <>
From: Martin Thomson <>
Date: Fri, 02 Dec 2016 10:08:50 +1100
Message-ID: <>
To: Alex Rousskov <>
Cc: HTTP Working Group <>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-6.4
X-W3C-Hub-Spam-Report: AWL=0.343, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: 1cCaTd-0002h8-2t 88398bcd20625c168d7aaaab7172a5af
Subject: Re: HTTP/2 examples SHOULD use :authority
Archived-At: <>
X-Mailing-List: <> archive/latest/33071
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

Alex, you are right to observe that the examples in the document could
have been better.

There was a long discussion about this and the ultimate conclusion was
to recommend :authority over host.  However that never made the
examples section.

We did not mandate use of :authority so that proxies and gateways
could provide perfect fidelity in their translation from 1.1 to 2.

If you interpret the examples as conversions, then they are correct in
that the fidelity is preserved (as Kari points out).  However, I don't
believe that to be the primary purpose of examples in this

If we were able to make a change, I would indeed change the examples
to use :authority, but include a note that said that - in the case of
a direct conversion from 1.1 - "host" would be used instead.

On 2 December 2016 at 03:54, Alex Rousskov
<> wrote:
> Hello,
>     This question is inspired be an interoperability problem between Web
> Polygraph benchmark and a [MitM] HTTP/2 proxy. Inside a CONNECT tunnel
> to a Polygraph server, Polygraph clients were violating the following
> RFC 7540 SHOULD by sending a Host header instead of the :authority
> pseudo-header:
>>   Clients
>>   that generate HTTP/2 requests directly SHOULD use the ":authority"
>>   pseudo-header field instead of the Host header field.
> When forwarding the requests, the proxy dropped the Host header without
> adding :authority... While investigating who is at fault, I noticed that
> Polygraph [accidentally] follows RFC 7540 examples: *All* Section 8.3
> examples show HTTP/2 requests with a Host header instead of :authority!
>> GET /resource HTTP/1.1       HEADERS
>> Host:       ==>    + END_STREAM
>> Accept: image/jpeg             + END_HEADERS
>>                                  :method = GET
>>                                  :scheme = https
>>                                  :path = /resource
>>                                  host =
>>                                  accept = image/jpeg
> One could argue that the RFC examples are meant to illustrate how to
> mechanically translate an HTTP/1 message to HTTP/2, with as little
> information loss as possible, even at the expense of violating a SHOULD.
> I do not think that is a valid argument because the Examples section
> does not disclose that intent and most readers will expect the [only]
> Example section to illustrate genuine HTTP/2 messages rather than
> unusual HTTP version translation peculiarities (unless explicitly noted
> otherwise).
> AFAICT, the Examples section talks about and shows various generated
> HTTP/2 messages that meet version-agnostic prose specifications. The
> HTTP/1 messages are probably also included just because most [early] RFC
> readers were expected to be more familiar with HTTP/1 than HTTP/2.
> Do you think the RFC examples should use ":authority" instead of "host"?
> Thank you,
> Alex.