Opened 12 years ago

Closed 12 years ago

Last modified 12 years ago

#92 closed editorial (invalid)

Empty Host Headers - BNF

Reported by: mnot@… Owned by:
Priority: Milestone: unassigned
Component: p1-messaging Severity:
Keywords: Cc:

Description

The specification states "If the requested URI does not include an Internet host name for the service being requested, then the Host header field MUST be given with an empty value" but the grammar does not seem to allow this.

Host = "Host" ":" host [ ":" port ] ; Section 3.2.2

should be changed into

Host = "Host" ":" [ host [ ":" port ] ] ; Section 3.2.2
}}

Change History (7)

comment:1 Changed 12 years ago by mnot@…

  • Component set to auth
  • Milestone set to unassigned

comment:2 Changed 12 years ago by mnot@…

  • Component changed from auth to messaging

comment:3 Changed 12 years ago by fielding@…

  • Resolution set to invalid
  • Status changed from new to closed

host, as defined by RFC 3986, can be empty. (see reg-name production)

comment:4 Changed 12 years ago by julian.reschke@…

So... assuming we replaced RFC2396's host with RCF3986's host, the following would become legal:

Host: :81

Bug or feature?

(old thread: <http://lists.w3.org/Archives/Public/ietf-http-wg/2007OctDec/thread.html#msg229>)

comment:5 Changed 12 years ago by fielding@…

Feature. The field must contain whatever the URI contains, so limiting it syntactically would assume we control URIs.

comment:6 Changed 12 years ago by mnot@…

It would be interesting to see if that form breaks any servers today; it's not exactly obvious.

Should this be called out explicitly in the spec (e.g., with an example)?

comment:7 Changed 12 years ago by fielding@…

Note RFC3986, section 6.2.3:

Another case where normalization varies by scheme is in the handling of an empty authority component or empty host subcomponent. For many scheme specifications, an empty authority or host is considered an error; for others, it is considered equivalent to "localhost" or the end-user's host. When a scheme defines a default for authority and a URI reference to that default is desired, the reference should be normalized to an empty authority for the sake of uniformity, brevity, and internationalization. If, however, either the userinfo or port subcomponents are non-empty, then the host should be given explicitly even if it matches the default.

In other words, part 1 needs to define an empty host is an error for the http and https schemes.

In any case, servers that break based on any network input, valid or not, are broken.

Note: See TracTickets for help on using tickets.