Merge pull request #968 from martinthomson/host-authority-mix

martinthomson · web-flow · commit 78d4e21e9134 · 2021-09-24T12:34:13.000+10:00
Host and :authority must agree
diff --git a/draft-ietf-httpbis-http2bis.xml b/draft-ietf-httpbis-http2bis.xml
@@ -2934,16 +2934,33 @@ cookie: e=f
                 pseudo-header field to convey authority information, unless there is no authority
                 information to convey (in which case it MUST NOT generate :authority).
               </t>
+              <t>
+                Clients MUST NOT generate a request with a <tt>Host</tt> header field that differs
+                from the <tt>:authority</tt> pseudo-header field.  A
+                server SHOULD treat a request as malformed if it contains a <tt>Host</tt> header
+                field that identifies a different entity to the <tt>:authority</tt> pseudo-header
+                field.  The values of fields need to be normalized to compare them (see <xref
+                target="RFC3986" section="6.2"/>).  An origin server can apply any normalization
+                method, whereas other servers MUST perform scheme-based normalization (see <xref
+                target="RFC3986" section="6.2.3"/>) of the two fields.
+              </t>
               <t>
                 An intermediary that forwards a request over HTTP/2 MUST construct an
                 <tt>:authority</tt> pseudo-header field using the authority information from the
                 control data of the original request, unless the the original request's target URI
                 does not contain authority information (in which case it MUST NOT generate
-                <tt>:authority</tt>). Note that the Host header field is not the sole source of this
-                information; see <xref target="HTTP" section="7.2"/>.
+                <tt>:authority</tt>). Note that the <tt>Host</tt> header field is not the sole
+                source of this information; see <xref target="HTTP" section="7.2"/>.
+              </t>
+              <t>
+                An intermediary that needs to generate a <tt>Host</tt> header field (which might be
+                necessary to construct an HTTP/1.1 request) MUST use the value from the <tt>:authority</tt> 
+                pseudo-header field as the value of the <tt>Host</tt> field,
+                unless the intermediary also changes the request target. This replaces any existing
+                <tt>Host</tt> field to avoid potential vulnerabilities in HTTP routing.
               </t>
               <t>
-                An intermediary that forwards a request over HTTP/2 MUST retain any <tt>Host</tt>
+                An intermediary that forwards a request over HTTP/2 MAY retain any <tt>Host</tt>
                 header field.
               </t>
               <t>
@@ -5172,6 +5189,9 @@ cookie: e=f
           Connection-specific header fields - which are prohibited - are more precisely and
           comprehensively identified.
         </li>
+        <li>
+          <tt>Host</tt> and <tt>:authority</tt> are no longer permitted to disagree.
+        </li>
       </ul>
     </section>
     <section numbered="false">
