Ignore:
Timestamp:
Mar 11, 2012, 1:32:11 AM (8 years ago)
Author:
fielding@…
Message:

cleanup the phrasing of requirements in request-target and Host to
disambiguate the four cases and make the client responsible for compliance.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/p1-messaging.xml

    r1579 r1581  
    3333  <!ENTITY idempotent-methods     "<xref target='Part2' x:rel='#idempotent.methods' xmlns:x='http://purl.org/net/xml2rfc/ext'/>">
    3434  <!ENTITY method                 "<xref target='Part2' x:rel='#method' xmlns:x='http://purl.org/net/xml2rfc/ext'/>">
     35  <!ENTITY OPTIONS                "<xref target='Part2' x:rel='#OPTIONS' xmlns:x='http://purl.org/net/xml2rfc/ext'/>">
    3536  <!ENTITY status-code-reasonphr  "<xref target='Part2' x:rel='#status.code.and.reason.phrase' xmlns:x='http://purl.org/net/xml2rfc/ext'/>">
    3637  <!ENTITY status-codes           "<xref target='Part2' x:rel='#status.codes' xmlns:x='http://purl.org/net/xml2rfc/ext'/>">
     
    23602361   the method being requested and whether the request is to a proxy.
    23612362</t>   
    2362 <figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="request-target"/>
    2363   <x:ref>request-target</x:ref> = "*"
    2364                  / <x:ref>absolute-URI</x:ref>
    2365                  / ( <x:ref>path-absolute</x:ref> [ "?" <x:ref>query</x:ref> ] )
    2366                  / <x:ref>authority</x:ref>
     2363<figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="request-target"/><iref primary="true" item="Grammar" subitem="origin-form"/><iref primary="true" item="Grammar" subitem="absolute-form"/><iref primary="true" item="Grammar" subitem="authority-form"/><iref primary="true" item="Grammar" subitem="asterisk-form"/>
     2364  <x:ref>request-target</x:ref> = <x:ref>origin-form</x:ref>
     2365                 / <x:ref>absolute-form</x:ref>
     2366                 / <x:ref>authority-form</x:ref>
     2367                 / <x:ref>asterisk-form</x:ref>
     2368
     2369  <x:ref>origin-form</x:ref>    = <x:ref>path-absolute</x:ref> [ "?" <x:ref>query</x:ref> ]
     2370  <x:ref>absolute-form</x:ref>  = <x:ref>absolute-URI</x:ref>
     2371  <x:ref>authority-form</x:ref> = <x:ref>authority</x:ref>
     2372  <x:ref>asterisk-form</x:ref>  = "*"
    23672373</artwork></figure>
    2368 <t anchor="origin-form"><iref item="origin form (of request-target)"/>
    2369    The most common form of request-target is that used when making
    2370    a request to an origin server ("origin form") to access a resource
    2371    identified by an "http" (<xref target="http.uri"/>) or
    2372    "https" (<xref target="https.uri"/>) URI.
    2373    In this case, the absolute path and query components of the URI
    2374    &MUST; be transmitted as the request-target and the authority component
    2375    (excluding any userinfo) &MUST; be transmitted in a Host header field.
     2374<t anchor="origin-form"><iref item="origin-form (of request-target)"/>
     2375   The most common form of request-target is the origin-form.
     2376   When making a request directly to an origin server, other than a CONNECT
     2377   or server-wide OPTIONS request (as detailed below),
     2378   a client &MUST; send only the absolute path and query components of
     2379   the target URI as the request-target.
     2380   If the target URI's path component is empty, then the client &MUST; send
     2381   "/" as the path within the origin-form of request-target.
     2382   A Host header field is also sent, as defined in
     2383   <xref target="header.host"/>, containing the target URI's
     2384   authority component (excluding any userinfo).
     2385</t>
     2386<t>
    23762387   For example, a client wishing to retrieve a representation of the resource
    23772388   identified as
     
    23892400</artwork></figure>
    23902401<t>
    2391    followed by the remainder of the request. Note that the origin form
    2392    of request-target always starts with an absolute path. If the target
    2393    resource's URI path is empty, then an absolute path of "/" &MUST; be
    2394    provided in the request-target.
    2395 </t>
    2396 <t>
    2397    If the request-target is percent-encoded
    2398    (<xref target="RFC3986" x:fmt="," x:sec="2.1"/>), the origin server
    2399    &MUST; decode the request-target in order to
    2400    properly interpret the request. Servers &SHOULD; respond to invalid
    2401    request-targets with an appropriate status code.
    2402 </t>
    2403 <t anchor="absolute-URI-form"><iref item="absolute-URI form (of request-target)"/>
    2404    The "absolute-URI" form of request-target is &REQUIRED; when the request
    2405    is being made to a proxy.  The proxy is requested to either forward the
    2406    request or service it from a valid cache, and then return the response.
    2407    Note that the proxy &MAY; forward the request on to another proxy or
    2408    directly to the server specified by the absolute-URI.
     2402   followed by the remainder of the request message.
     2403</t>
     2404<t anchor="absolute-form"><iref item="absolute-form (of request-target)"/>
     2405   When making a request to a proxy, other than a CONNECT or server-wide
     2406   OPTIONS request (as detailed below), a client &MUST; send the target URI
     2407   in absolute-form as the request-target.
     2408   The proxy is requested to either service that request from a valid cache,
     2409   if possible, or make the same request on the client's behalf to either
     2410   the next inbound proxy server or directly to the origin server indicated
     2411   by the request-target.
    24092412   In order to avoid request loops, a proxy that forwards requests to other
    24102413   proxies &MUST; be able to recognize and exclude all of its own server
    24112414   names, including any aliases, local variations, or literal IP addresses.
    2412    An example request-line would be:
     2415</t>
     2416<t>
     2417   An example absolute-form of request-line would be:
    24132418</t>
    24142419<figure><artwork type="message/http; msgtype=&#34;request&#34;" x:indent-with="  ">
     
    24162421</artwork></figure>
    24172422<t>
    2418    To allow for transition to absolute-URIs in all requests in future
    2419    versions of HTTP, all HTTP/1.1 servers &MUST; accept the absolute-URI
    2420    form in requests, even though HTTP/1.1 clients will only generate
    2421    them in requests to proxies.
    2422 </t>
    2423 <t>
    2424    If a proxy receives a host name that is not a fully qualified domain
    2425    name, it &MAY; add its domain to the host name it received. If a proxy
    2426    receives a fully qualified domain name, the proxy &MUST-NOT; change
    2427    the host name.
    2428 </t>
    2429 <t anchor="authority-form"><iref item="authority form (of request-target)"/>
    2430    The "authority form" of request-target, which &MUST-NOT; be used
    2431    with any request method other than CONNECT, is used to establish a
    2432    tunnel through one or more proxies (&CONNECT;).  For example,
     2423   To allow for transition to the absolute-form for all requests in some
     2424   future version of HTTP, HTTP/1.1 servers &MUST; accept the absolute-form
     2425   in requests, even though HTTP/1.1 clients will only send them in requests
     2426   to proxies.
     2427</t>
     2428<t anchor="authority-form"><iref item="authority-form (of request-target)"/>
     2429   The authority-form of request-target is only used for CONNECT requests
     2430   (&CONNECT;).  When making a CONNECT request to establish a tunnel through
     2431   one or more proxies, a client &MUST; send only the target URI's
     2432   authority component (excluding any userinfo) as the request-target.
     2433   For example,
    24332434</t>
    24342435<figure><artwork type="message/http; msgtype=&#34;request&#34;" x:indent-with="  ">
    24352436CONNECT www.example.com:80 HTTP/1.1
    24362437</artwork></figure>
    2437 <t anchor="asterix-form"><iref item="asterisk form (of request-target)"/>
    2438    The asterisk ("*") form of request-target, which &MUST-NOT; be used
    2439    with any request method other than OPTIONS, means that the request
    2440    applies to the server as a whole (the listening process) rather than
    2441    to a specific named resource at that server.  For example,
     2438<t anchor="asterisk-form"><iref item="asterisk-form (of request-target)"/>
     2439   The asterisk-form of request-target is only used for a server-wide
     2440   OPTIONS request (&OPTIONS;).  When a client wishes to request OPTIONS
     2441   for the server as a whole, as opposed to a specific named resource of
     2442   that server, the client &MUST; send only "*" (%x2A) as the request-target.
     2443   For example,
    24422444</t>
    24432445<figure><artwork type="message/http; msgtype=&#34;request&#34;" x:indent-with="  ">
     
    24452447</artwork></figure>
    24462448<t>
    2447    If a proxy receives an OPTIONS request with an absolute-URI form of
     2449   If a proxy receives an OPTIONS request with an absolute-form of
    24482450   request-target in which the URI has an empty path and no query component,
    2449    then the last proxy on the request chain &MUST; use a request-target
     2451   then the last proxy on the request chain &MUST; send a request-target
    24502452   of "*" when it forwards the request to the indicated origin server.
    24512453</t>
     
    24662468</figure>
    24672469<t>
     2470   If a proxy receives a request-target with a host name that is not a
     2471   fully qualified domain name, it &MAY; add its domain to the host name
     2472   it received when forwarding the request.  A proxy &MUST-NOT; change the
     2473   host name if it is a fully qualified domain name.
     2474</t>
     2475<t>
    24682476   A non-transforming proxy &MUST-NOT; rewrite the "path-absolute" and "query"
    24692477   parts of the received request-target when forwarding it to the next inbound
    2470    server, except as noted above to replace a null path-absolute with "/" or
    2471    "*".
     2478   server, except as noted above to replace an empty path with "/" or "*".
    24722479</t>
    24732480</section>
     
    24792486<t>
    24802487   The "Host" header field in a request provides the host and port
    2481    information from the target resource's URI, enabling the origin
    2482    server to distinguish between resources while servicing requests
     2488   information from the target URI, enabling the origin
     2489   server to distinguish among resources while servicing requests
    24832490   for multiple host names on a single IP address.  Since the Host
    24842491   field-value is critical information for handling a request, it
     
    24902497<t>
    24912498   A client &MUST; send a Host header field in all HTTP/1.1 request
    2492    messages.  If the target resource's URI includes an authority
    2493    component, then the Host field-value &MUST; be identical to that
    2494    authority component after excluding any userinfo (<xref target="http.uri"/>).
    2495    If the authority component is missing or undefined for the target
    2496    resource's URI, then the Host header field &MUST; be sent with an
    2497    empty field-value.
     2499   messages.  If the target URI includes an authority component, then
     2500   the Host field-value &MUST; be identical to that authority component
     2501   after excluding any userinfo (<xref target="http.uri"/>).
     2502   If the authority component is missing or undefined for the target URI,
     2503   then the Host header field &MUST; be sent with an empty field-value.
    24982504</t>
    24992505<t>
     
    25072513<t>
    25082514   The Host header field &MUST; be sent in an HTTP/1.1 request even
    2509    if the request-target is in the form of an absolute-URI, since this
     2515   if the request-target is in the absolute-form, since this
    25102516   allows the Host information to be forwarded through ancient HTTP/1.0
    25112517   proxies that might not have implemented Host.
    25122518</t>
    25132519<t>
    2514    When an HTTP/1.1 proxy receives a request with a request-target in
    2515    the form of an absolute-URI, the proxy &MUST; ignore the received
     2520   When an HTTP/1.1 proxy receives a request with an absolute-form of
     2521   request-target, the proxy &MUST; ignore the received
    25162522   Host header field (if any) and instead replace it with the host
    2517    information of the request-target.  When a proxy forwards a request,
    2518    it &MUST; generate the Host header field based on the received
    2519    absolute-URI rather than the received Host.
     2523   information of the request-target.  If the proxy forwards the request,
     2524   it &MUST; generate a new Host field-value based on the received
     2525   request-target rather than forward the received Host field-value.
    25202526</t>
    25212527<t>
     
    25242530   a shared cache or redirect a request to an unintended server.
    25252531   An interception proxy is particularly vulnerable if it relies on
    2526    the Host header field value for redirecting requests to internal
     2532   the Host field-value for redirecting requests to internal
    25272533   servers, or for use as a cache key in a shared cache, without
    25282534   first verifying that the intercepted connection is targeting a
     
    25342540   to any request message that contains more than one Host header field
    25352541   or a Host header field with an invalid field-value.
    2536 </t>
    2537 <t>
    2538    See Sections <xref target="the.resource.identified.by.a.request" format="counter"/>
    2539    and <xref target="changes.to.simplify.multi-homed.web.servers.and.conserve.ip.addresses" format="counter"/>
    2540    for other requirements relating to Host.
    25412542</t>
    25422543</section>
     
    51445145
    51455146<x:ref>absolute-URI</x:ref> = &lt;absolute-URI, defined in [RFC3986], Section 4.3&gt;
     5147<x:ref>absolute-form</x:ref> = absolute-URI
     5148<x:ref>asterisk-form</x:ref> = "*"
    51465149<x:ref>attribute</x:ref> = token
    51475150<x:ref>authority</x:ref> = &lt;authority, defined in [RFC3986], Section 3.2&gt;
     5151<x:ref>authority-form</x:ref> = authority
    51485152
    51495153<x:ref>chunk</x:ref> = chunk-size [ chunk-ext ] CRLF chunk-data CRLF
     
    51765180<x:ref>obs-fold</x:ref> = CRLF ( SP / HTAB )
    51775181<x:ref>obs-text</x:ref> = %x80-FF
     5182<x:ref>origin-form</x:ref> = path-absolute [ "?" query ]
    51785183
    51795184<x:ref>partial-URI</x:ref> = relative-part [ "?" query ]
     
    52045209<x:ref>relative-part</x:ref> = &lt;relative-part, defined in [RFC3986], Section 4.2&gt;
    52055210<x:ref>request-line</x:ref> = method SP request-target SP HTTP-version CRLF
    5206 <x:ref>request-target</x:ref> = "*" / absolute-URI / ( path-absolute [ "?" query ] )
    5207  / authority
     5211<x:ref>request-target</x:ref> = origin-form / absolute-form / authority-form /
     5212 asterisk-form
    52085213
    52095214<x:ref>special</x:ref> = "(" / ")" / "&lt;" / "&gt;" / "@" / "," / ";" / ":" / "\" /
Note: See TracChangeset for help on using the changeset viewer.