Ignore:
Timestamp:
26/01/14 11:14:39 (8 years ago)
Author:
fielding@…
Message:

Use factual phrasing for reconstructing an effective request URI
instead of a MUST; see #531

Update the description of constructing the effective request URI such
that it defers to local configuration.

Add a paragraph about the need for an origin server to verify that the
constructed URI is consistent with the connection context, and point to
(not yet complete) security considerations on routing; see #550

File:
1 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/p1-messaging.html

    r2586 r2587  
    19451945            <div id="rfc.iref.e.1"></div>
    19461946            <h2 id="rfc.section.5.5"><a href="#rfc.section.5.5">5.5</a>&nbsp;<a href="#effective.request.uri">Effective Request URI</a></h2>
    1947             <p id="rfc.section.5.5.p.1">A server that receives an HTTP request message <em class="bcp14">MUST</em> reconstruct the user agent's original target URI, based on the pieces of information learned from the request-target, <a href="#header.host" class="smpl">Host</a> header field, and connection context, in order to identify the intended target resource and properly service the request.
    1948                The URI derived from this reconstruction process is referred to as the "<dfn>effective request URI</dfn>".
     1947            <p id="rfc.section.5.5.p.1">Since the request-target often contains only part of the user agent's target URI, a server reconstructs the intended target
     1948               as an "<dfn>effective request URI</dfn>" to properly service the request. This reconstruction involves both the server's local configuration and information communicated
     1949               in the request-target, <a href="#header.host" class="smpl">Host</a> header field, and connection context.
    19491950            </p>
    19501951            <p id="rfc.section.5.5.p.2">For a user agent, the effective request URI is the target URI.</p>
    19511952            <p id="rfc.section.5.5.p.3">If the request-target is in absolute-form, then the effective request URI is the same as the request-target. Otherwise, the
    1952                effective request URI is constructed as follows.
    1953             </p>
    1954             <p id="rfc.section.5.5.p.4">If the request is received over a TLS-secured TCP connection, then the effective request URI's scheme is "https"; otherwise,
    1955                the scheme is "http".
    1956             </p>
    1957             <p id="rfc.section.5.5.p.5">If the request-target is in authority-form, then the effective request URI's authority component is the same as the request-target.
    1958                Otherwise, if a <a href="#header.host" class="smpl">Host</a> header field is supplied with a non-empty field-value, then the authority component is the same as the Host field-value. Otherwise,
    1959                the authority component is the concatenation of the default host name configured for the server, a colon (":"), and the connection's
    1960                incoming TCP port number in decimal form.
    1961             </p>
    1962             <p id="rfc.section.5.5.p.6">If the request-target is in authority-form or asterisk-form, then the effective request URI's combined path and query component
    1963                is empty. Otherwise, the combined path and query component is the same as the request-target.
    1964             </p>
    1965             <p id="rfc.section.5.5.p.7">The components of the effective request URI, once determined as above, can be combined into absolute-URI form by concatenating
    1966                the scheme, "://", authority, and combined path and query component.
    1967             </p>
     1953               effective request URI is constructed as follows:
     1954            </p>
     1955            <ul class="empty">
     1956               <li>If the server's configuration (or outbound gateway) provides a fixed URI scheme, that scheme is used for the effective request
     1957                  URI. Otherwise, if the request is received over a TLS-secured TCP connection, the effective request URI's scheme is "https";
     1958                  if not, the scheme is "http".
     1959               </li>
     1960               <li>If the server's configuration (or outbound gateway) provides a fixed URI authority component, that authority is used for the
     1961                  effective request URI. If not, then if the request-target is in authority-form, the effective request URI's authority component
     1962                  is the same as the request-target. If not, then if a <a href="#header.host" class="smpl">Host</a> header field is supplied with a non-empty field-value, the authority component is the same as the Host field-value. Otherwise,
     1963                  the authority component is assigned the default name configured for the server and, if the connection's incoming TCP port
     1964                  number differs from the default port for the effective request URI's scheme, then a colon (":") and the incoming port number
     1965                  (in decimal form) are appended to the authority component.
     1966               </li>
     1967               <li>If the request-target is in authority-form or asterisk-form, the effective request URI's combined path and query component
     1968                  is empty. Otherwise, the combined path and query component is the same as the request-target.
     1969               </li>
     1970               <li>The components of the effective request URI, once determined as above, can be combined into absolute-URI form by concatenating
     1971                  the scheme, "://", authority, and combined path and query component.
     1972               </li>
     1973            </ul>
    19681974            <div id="rfc.figure.u.48"></div>
    19691975            <p>Example 1: the following message received over an insecure TCP connection</p><pre class="text">GET /pub/WWW/TheProject.html HTTP/1.1
     
    19761982</pre><div id="rfc.figure.u.51"></div>
    19771983            <p>has an effective request URI of</p><pre class="text">https://www.example.org
    1978 </pre><p id="rfc.section.5.5.p.12">An origin server that does not allow resources to differ by requested host <em class="bcp14">MAY</em> ignore the <a href="#header.host" class="smpl">Host</a> field-value and instead replace it with a configured server name when constructing the effective request URI.
    1979             </p>
    1980             <p id="rfc.section.5.5.p.13">Recipients of an HTTP/1.0 request that lacks a <a href="#header.host" class="smpl">Host</a> header field <em class="bcp14">MAY</em> attempt to use heuristics (e.g., examination of the URI path for something unique to a particular host) in order to guess
    1981                the effective request URI's authority component.
     1984</pre><p id="rfc.section.5.5.p.8">Recipients of an HTTP/1.0 request that lacks a <a href="#header.host" class="smpl">Host</a> header field might need to use heuristics (e.g., examination of the URI path for something unique to a particular host) in
     1985               order to guess the effective request URI's authority component.
     1986            </p>
     1987            <p id="rfc.section.5.5.p.9">Once the effective request URI has been constructed, an origin server needs to decide whether or not to provide service for
     1988               that URI via the connection in which the request was received. For example, the request might have been misdirected, deliberately
     1989               or accidentally, such that the information within a received absolute-form URI or <a href="#header.host" class="smpl">Host</a> header field differs from the host or port upon which the connection has been made. If the connection is from a trusted gateway,
     1990               that inconsistency might be expected; otherwise, it might indicate an attempt to bypass security filters, trick the server
     1991               into delivering non-public content, or poison a cache. See <a href="#security.considerations" title="Security Considerations">Section&nbsp;9</a> for security considerations regarding message routing.
    19821992            </p>
    19831993         </div>
Note: See TracChangeset for help on using the changeset viewer.