IETF Logo Mail Archive

Re: RFC 9113 and :authority header field

Kazuho Oku <kazuhooku@gmail.com> Mon, 04 July 2022 01:46 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B827C14F739 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 3 Jul 2022 18:46:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.758
X-Spam-Level:
X-Spam-Status: No, score=-2.758 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v8le4Y_LGHEF for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 3 Jul 2022 18:46:07 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 599FEC14F72E for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 3 Jul 2022 18:46:06 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1o8B70-00ACE6-NF for ietf-http-wg-dist@listhub.w3.org; Mon, 04 Jul 2022 01:42:54 +0000
Resent-Date: Mon, 04 Jul 2022 01:42:54 +0000
Resent-Message-Id: <E1o8B70-00ACE6-NF@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <kazuhooku@gmail.com>) id 1o8B6y-00ACCn-UK for ietf-http-wg@listhub.w3.org; Mon, 04 Jul 2022 01:42:52 +0000
Received: from mail-ed1-x52a.google.com ([2a00:1450:4864:20::52a]) by titan.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from <kazuhooku@gmail.com>) id 1o8B6x-0097BK-6d for ietf-http-wg@w3.org; Mon, 04 Jul 2022 01:42:52 +0000
Received: by mail-ed1-x52a.google.com with SMTP id ej4so9855626edb.7 for <ietf-http-wg@w3.org>; Sun, 03 Jul 2022 18:42:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QJ5Rs35mtjZMuNjznwmfKujskGR97qusirUAIqPL+h0=; b=cG/xKkGy65DOJ7vnS0y96n7yFDL4BCZNaLbCDedFUpjvNUn5yHY4yY71fKwsrhe6SZ A0XyVdC19odxsLjP6SrB6hQBAVftciKiXYYvdCvVIRCd7974H49/1Varw+sdJezX1/NN ofPOE5RiISiqgBaURAJtHIa18qHkHrzqUKZfp4MITVFlRVKNKWXHLDHbDAoOQURin5dX KZgwqO0q83X2+BEcaGoMK1EK6ZkfuzGrRFlfiTsAD/ld3dt2Z8gxkEwYvKSTs9tyEpIa A8cBF6XJpzzWNbM/Bh4ZjT01RqB4QkvRbRbQXYtLR2fYqBd4HwpUCUXXyXxV8MMOG3gu bHeA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QJ5Rs35mtjZMuNjznwmfKujskGR97qusirUAIqPL+h0=; b=lNcNWQNauy5ojY8dSa07YnSO72uL9qke3RqL5DRP3BrsdbB5pqObOFGXFAyB5NQZLK JOji6A6jDiJ2iDWXfoae82SHUu9/HXppEp8z/+pxN6YVgVnqOJdHqPtWovO96sXe2Fh0 bWkgCMufJx+m+hxp2qugW9QMdzGJkdjSf8qZcZ1EJqquxBbkcRd3L52hW8pmwebqNzmm 05VcQ0i46iUvb6bie/jXcpV0+5WIsIleur4q1LffZ/TQ4vdzGmCnLEAt0XpDHtXynl9G +YjY+OGL75EULrxo3V/PWGrZtaSotvKIQFvHlea6DpxhLvfXzS/ssnqn5i+uO2ZtATHy WEWg==
X-Gm-Message-State: AJIora8OEO1uh1w8delK8Yq3Sq0LGvi6RZES6IGe7Rkp4b6PZfo0Hrus pN+dvFBfXnpwtbK6GU+5RkThJs4PEJ9rMzDqIZg=
X-Google-Smtp-Source: AGRyM1uUDrZR0FjdM0HXaQmVpjN0mm/Fp92Y1phQiBBcmEHtDX16wu5M4zzTVsn6p6xyCS0jk4bjC++tbvLYOZd1S2I=
X-Received: by 2002:a05:6402:1459:b0:437:9282:2076 with SMTP id d25-20020a056402145900b0043792822076mr34913131edx.6.1656898959293; Sun, 03 Jul 2022 18:42:39 -0700 (PDT)
MIME-Version: 1.0
References: <CAPyZ6=+q+MoOOwoCxbtFjt+gqsjHBqTzz9KXNVcs3EP-4VFp=Q@mail.gmail.com> <D7142A8A-5B80-46F5-A653-2307EE2DC5D8@gbiv.com> <CAPyZ6=LCSDAsPoFCQ2cRO-i+dpo5vnp2L5A7ZLw8dvRtDs6HUg@mail.gmail.com> <741f3592-4d20-45fc-9658-8c4c71f08e5b@beta.fastmail.com> <CANatvzwLo=QT6n8f2gjAgf+03gQACo0rLkMetBMGER35RoVayA@mail.gmail.com>
In-Reply-To: <CANatvzwLo=QT6n8f2gjAgf+03gQACo0rLkMetBMGER35RoVayA@mail.gmail.com>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Mon, 04 Jul 2022 10:42:27 +0900
Message-ID: <CANatvzy5S7+T9VPGehT72de+xz7C+MpSKpMATmxhfYXymg6e4A@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Ian Swett <ianswett@google.com>
Content-Type: multipart/alternative; boundary="000000000000e5c1bf05e2f0d95f"
Received-SPF: pass client-ip=2a00:1450:4864:20::52a; envelope-from=kazuhooku@gmail.com; helo=mail-ed1-x52a.google.com
X-W3C-Hub-DKIM-Status: validation passed: (address=kazuhooku@gmail.com domain=gmail.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-4.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1o8B6x-0097BK-6d 8a57219556473fd630df23cba3e0bc70
X-Original-To: ietf-http-wg@w3.org
Subject: Re: RFC 9113 and :authority header field
Archived-At: <https://www.w3.org/mid/CANatvzy5S7+T9VPGehT72de+xz7C+MpSKpMATmxhfYXymg6e4A@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/40235
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

2022年7月4日(月) 10:06 Kazuho Oku <kazuhooku@gmail.com>:

> Thanks to Tatsuhiro and to all others for bringing the discussion.
>
> 2022年6月29日(水) 9:37 Martin Thomson <mt@lowentropy.net>:
>
>> On Wed, Jun 29, 2022, at 09:58, Tatsuhiro Tsujikawa wrote:
>> > I think 2) is valid in terms of RFC 7540, but it suddenly becomes
>> > invalid in terms of RFC 9113?
>> > Is this correct?  https://www.fastly.com and https://www.google.com
>> now
>> > reject 2).
>>
>> My understanding is that both are valid alternatives.  As would a third
>> option that contained the same value in both host and :authority.  The 4xx
>> responses you are getting are (probably) compliance bugs.
>>
>
> Are you suggesting that RFC 9113 has an error, or am I missing something?
> I ask this because RFC 9113 section 8.3.1 states:
> "Clients that generate HTTP/2 requests directly MUST use the ":authority"
> pseudo-header field to convey authority information, unless there is no
> authority information to convey (in which case it MUST NOT generate "
> :authority")."
>

Regarding this MUST, it seems that we (maybe unintentionally?) tightened
the language in https://github.com/httpwg/http2-spec/pull/961.

It changed a generic "SHOULD" to a "MUST unless."


> and
> "An intermediary that forwards a request over HTTP/2 MUST construct an "
> :authority" pseudo-header field using the authority information from the
> control data of the original request, unless the original request's target
> URI does not contain authority information (in which case it MUST NOT
> generate ":authority")."
>

This MUST seems to come from
https://github.com/httpwg/http2-spec/pull/845/files.

As of #845, we mandate intermediaries forward origin-form requests (e.g., a
"GET / HTTP/1.1" + Host) using an `:authority` request header field.

Maybe these changes have been unintentional.

Regarding H2O, we did not intend to enforce the use of `:authority` pseudo
header field, so I have no problem in reverting the behavior. But
nevertheless, I think it's worth discussing the state of the specification.


>
> My interpretation of these MUSTs is that a client is forbidden to create a
> HTTP/2 request that omits an `:authority` header field (unless the method
> or the URI permits it to).
>
>
>>
>> Thankfully we know people who might be closer to someone who is able to
>> fix or defend those bugs.  (On CC).
>>
>> This whole host and :authority thing was an original mistake in HTTP/2.
>> It was grounded in the view that HTTP/2 had to faithfully capture every
>> weird thing HTTP/1.1 could express, even when it didn't make sense.  At the
>> time, that was pragmatic and it might have aided deployment into systems
>> that were, on some levels, broken.  In time, we should seek to remove those
>> exceptions.  In the revision, we did some of that by disallowing different
>> values.
>>
>
>
> --
> Kazuho Oku
>


-- 
Kazuho Oku

v2.23.0 | Report a Bug | By Email