Re: RFC 9113 and :authority header field
Kazuho Oku <kazuhooku@gmail.com> Mon, 04 July 2022 01:46 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B827C14F739 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 3 Jul 2022 18:46:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.758
X-Spam-Level:
X-Spam-Status: No, score=-2.758 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v8le4Y_LGHEF for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sun, 3 Jul 2022 18:46:07 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 599FEC14F72E for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sun, 3 Jul 2022 18:46:06 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.94.2) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1o8B70-00ACE6-NF for ietf-http-wg-dist@listhub.w3.org; Mon, 04 Jul 2022 01:42:54 +0000
Resent-Date: Mon, 04 Jul 2022 01:42:54 +0000
Resent-Message-Id: <E1o8B70-00ACE6-NF@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <kazuhooku@gmail.com>) id 1o8B6y-00ACCn-UK for ietf-http-wg@listhub.w3.org; Mon, 04 Jul 2022 01:42:52 +0000
Received: from mail-ed1-x52a.google.com ([2a00:1450:4864:20::52a]) by titan.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from <kazuhooku@gmail.com>) id 1o8B6x-0097BK-6d for ietf-http-wg@w3.org; Mon, 04 Jul 2022 01:42:52 +0000
Received: by mail-ed1-x52a.google.com with SMTP id ej4so9855626edb.7 for <ietf-http-wg@w3.org>; Sun, 03 Jul 2022 18:42:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QJ5Rs35mtjZMuNjznwmfKujskGR97qusirUAIqPL+h0=; b=cG/xKkGy65DOJ7vnS0y96n7yFDL4BCZNaLbCDedFUpjvNUn5yHY4yY71fKwsrhe6SZ A0XyVdC19odxsLjP6SrB6hQBAVftciKiXYYvdCvVIRCd7974H49/1Varw+sdJezX1/NN ofPOE5RiISiqgBaURAJtHIa18qHkHrzqUKZfp4MITVFlRVKNKWXHLDHbDAoOQURin5dX KZgwqO0q83X2+BEcaGoMK1EK6ZkfuzGrRFlfiTsAD/ld3dt2Z8gxkEwYvKSTs9tyEpIa A8cBF6XJpzzWNbM/Bh4ZjT01RqB4QkvRbRbQXYtLR2fYqBd4HwpUCUXXyXxV8MMOG3gu bHeA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QJ5Rs35mtjZMuNjznwmfKujskGR97qusirUAIqPL+h0=; b=lNcNWQNauy5ojY8dSa07YnSO72uL9qke3RqL5DRP3BrsdbB5pqObOFGXFAyB5NQZLK JOji6A6jDiJ2iDWXfoae82SHUu9/HXppEp8z/+pxN6YVgVnqOJdHqPtWovO96sXe2Fh0 bWkgCMufJx+m+hxp2qugW9QMdzGJkdjSf8qZcZ1EJqquxBbkcRd3L52hW8pmwebqNzmm 05VcQ0i46iUvb6bie/jXcpV0+5WIsIleur4q1LffZ/TQ4vdzGmCnLEAt0XpDHtXynl9G +YjY+OGL75EULrxo3V/PWGrZtaSotvKIQFvHlea6DpxhLvfXzS/ssnqn5i+uO2ZtATHy WEWg==
X-Gm-Message-State: AJIora8OEO1uh1w8delK8Yq3Sq0LGvi6RZES6IGe7Rkp4b6PZfo0Hrus pN+dvFBfXnpwtbK6GU+5RkThJs4PEJ9rMzDqIZg=
X-Google-Smtp-Source: AGRyM1uUDrZR0FjdM0HXaQmVpjN0mm/Fp92Y1phQiBBcmEHtDX16wu5M4zzTVsn6p6xyCS0jk4bjC++tbvLYOZd1S2I=
X-Received: by 2002:a05:6402:1459:b0:437:9282:2076 with SMTP id d25-20020a056402145900b0043792822076mr34913131edx.6.1656898959293; Sun, 03 Jul 2022 18:42:39 -0700 (PDT)
MIME-Version: 1.0
References: <CAPyZ6=+q+MoOOwoCxbtFjt+gqsjHBqTzz9KXNVcs3EP-4VFp=Q@mail.gmail.com> <D7142A8A-5B80-46F5-A653-2307EE2DC5D8@gbiv.com> <CAPyZ6=LCSDAsPoFCQ2cRO-i+dpo5vnp2L5A7ZLw8dvRtDs6HUg@mail.gmail.com> <741f3592-4d20-45fc-9658-8c4c71f08e5b@beta.fastmail.com> <CANatvzwLo=QT6n8f2gjAgf+03gQACo0rLkMetBMGER35RoVayA@mail.gmail.com>
In-Reply-To: <CANatvzwLo=QT6n8f2gjAgf+03gQACo0rLkMetBMGER35RoVayA@mail.gmail.com>
From: Kazuho Oku <kazuhooku@gmail.com>
Date: Mon, 04 Jul 2022 10:42:27 +0900
Message-ID: <CANatvzy5S7+T9VPGehT72de+xz7C+MpSKpMATmxhfYXymg6e4A@mail.gmail.com>
To: Martin Thomson <mt@lowentropy.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Ian Swett <ianswett@google.com>
Content-Type: multipart/alternative; boundary="000000000000e5c1bf05e2f0d95f"
Received-SPF: pass client-ip=2a00:1450:4864:20::52a; envelope-from=kazuhooku@gmail.com; helo=mail-ed1-x52a.google.com
X-W3C-Hub-DKIM-Status: validation passed: (address=kazuhooku@gmail.com domain=gmail.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-4.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1o8B6x-0097BK-6d 8a57219556473fd630df23cba3e0bc70
X-Original-To: ietf-http-wg@w3.org
Subject: Re: RFC 9113 and :authority header field
Archived-At: <https://www.w3.org/mid/CANatvzy5S7+T9VPGehT72de+xz7C+MpSKpMATmxhfYXymg6e4A@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/40235
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
2022年7月4日(月) 10:06 Kazuho Oku <kazuhooku@gmail.com>: > Thanks to Tatsuhiro and to all others for bringing the discussion. > > 2022年6月29日(水) 9:37 Martin Thomson <mt@lowentropy.net>: > >> On Wed, Jun 29, 2022, at 09:58, Tatsuhiro Tsujikawa wrote: >> > I think 2) is valid in terms of RFC 7540, but it suddenly becomes >> > invalid in terms of RFC 9113? >> > Is this correct? https://www.fastly.com and https://www.google.com >> now >> > reject 2). >> >> My understanding is that both are valid alternatives. As would a third >> option that contained the same value in both host and :authority. The 4xx >> responses you are getting are (probably) compliance bugs. >> > > Are you suggesting that RFC 9113 has an error, or am I missing something? > I ask this because RFC 9113 section 8.3.1 states: > "Clients that generate HTTP/2 requests directly MUST use the ":authority" > pseudo-header field to convey authority information, unless there is no > authority information to convey (in which case it MUST NOT generate " > :authority")." > Regarding this MUST, it seems that we (maybe unintentionally?) tightened the language in https://github.com/httpwg/http2-spec/pull/961. It changed a generic "SHOULD" to a "MUST unless." > and > "An intermediary that forwards a request over HTTP/2 MUST construct an " > :authority" pseudo-header field using the authority information from the > control data of the original request, unless the original request's target > URI does not contain authority information (in which case it MUST NOT > generate ":authority")." > This MUST seems to come from https://github.com/httpwg/http2-spec/pull/845/files. As of #845, we mandate intermediaries forward origin-form requests (e.g., a "GET / HTTP/1.1" + Host) using an `:authority` request header field. Maybe these changes have been unintentional. Regarding H2O, we did not intend to enforce the use of `:authority` pseudo header field, so I have no problem in reverting the behavior. But nevertheless, I think it's worth discussing the state of the specification. > > My interpretation of these MUSTs is that a client is forbidden to create a > HTTP/2 request that omits an `:authority` header field (unless the method > or the URI permits it to). > > >> >> Thankfully we know people who might be closer to someone who is able to >> fix or defend those bugs. (On CC). >> >> This whole host and :authority thing was an original mistake in HTTP/2. >> It was grounded in the view that HTTP/2 had to faithfully capture every >> weird thing HTTP/1.1 could express, even when it didn't make sense. At the >> time, that was pragmatic and it might have aided deployment into systems >> that were, on some levels, broken. In time, we should seek to remove those >> exceptions. In the revision, we did some of that by disallowing different >> values. >> > > > -- > Kazuho Oku > -- Kazuho Oku
- RFC 9113 and :authority header field Tatsuhiro Tsujikawa
- Re: RFC 9113 and :authority header field Roy T. Fielding
- Re: RFC 9113 and :authority header field Tatsuhiro Tsujikawa
- Re: RFC 9113 and :authority header field Martin Thomson
- Re: RFC 9113 and :authority header field Willy Tarreau
- Re: RFC 9113 and :authority header field Tatsuhiro Tsujikawa
- Re: RFC 9113 and :authority header field Stefan Eissing
- Re: RFC 9113 and :authority header field Tatsuhiro Tsujikawa
- Re: RFC 9113 and :authority header field Roy T. Fielding
- Re: RFC 9113 and :authority header field David Schinazi
- Re: RFC 9113 and :authority header field Martin Thomson
- Re: RFC 9113 and :authority header field Willy Tarreau
- Re: RFC 9113 and :authority header field Willy Tarreau
- Re: RFC 9113 and :authority header field Willy Tarreau
- Re: RFC 9113 and :authority header field Stefan Eissing
- Re: RFC 9113 and :authority header field Willy Tarreau
- Re: RFC 9113 and :authority header field Roy T. Fielding
- Re: RFC 9113 and :authority header field Willy Tarreau
- Re: RFC 9113 and :authority header field David Schinazi
- Re: RFC 9113 and :authority header field Kazuho Oku
- Re: RFC 9113 and :authority header field Kazuho Oku
- Re: RFC 9113 and :authority header field Willy Tarreau