* WGs marked with an * asterisk has had at least one new draft made available during the last 5 days

Ticket #92 (closed editorial: invalid)

Opened 8 years ago

Last modified 8 years ago

Empty Host Headers - BNF

Reported by: mnot@pobox.com Owned by:
Priority: Milestone: unassigned
Component: p1-messaging Severity:
Keywords: Cc:
Origin: http://www.w3.org/mid/qdi8k39d7usrse8bnrj8ee8kbaell140q0@hive.bjoern.hoehrmann.de


The specification states "If the requested URI does not include an Internet host name for the service being requested, then the Host header field MUST be given with an empty value" but the grammar does not seem to allow this.

Host = "Host" ":" host [ ":" port ] ; Section 3.2.2

should be changed into

Host = "Host" ":" [ host [ ":" port ] ] ; Section 3.2.2

Change History

comment:1 Changed 8 years ago by mnot@pobox.com

  • Component set to auth
  • Milestone set to unassigned

comment:2 Changed 8 years ago by mnot@pobox.com

  • Component changed from auth to messaging

comment:3 Changed 8 years ago by fielding@gbiv.com

  • Status changed from new to closed
  • Resolution set to invalid

host, as defined by RFC 3986, can be empty. (see reg-name production)

comment:4 Changed 8 years ago by julian.reschke@gmx.de

So... assuming we replaced RFC2396's host with RCF3986's host, the following would become legal:

Host: :81

Bug or feature?

(old thread: <http://lists.w3.org/Archives/Public/ietf-http-wg/2007OctDec/thread.html#msg229>)

comment:5 Changed 8 years ago by fielding@gbiv.com

Feature. The field must contain whatever the URI contains, so limiting it syntactically would assume we control URIs.

comment:6 Changed 8 years ago by mnot@pobox.com

It would be interesting to see if that form breaks any servers today; it's not exactly obvious.

Should this be called out explicitly in the spec (e.g., with an example)?

comment:7 Changed 8 years ago by fielding@gbiv.com

Note RFC3986, section 6.2.3:

Another case where normalization varies by scheme is in the handling of an empty authority component or empty host subcomponent. For many scheme specifications, an empty authority or host is considered an error; for others, it is considered equivalent to "localhost" or the end-user's host. When a scheme defines a default for authority and a URI reference to that default is desired, the reference should be normalized to an empty authority for the sake of uniformity, brevity, and internationalization. If, however, either the userinfo or port subcomponents are non-empty, then the host should be given explicitly even if it matches the default.

In other words, part 1 needs to define an empty host is an error for the http and https schemes.

In any case, servers that break based on any network input, valid or not, are broken.

Note: See TracTickets for help on using tickets.