On 08/05/2023 22:04, Christopher Schultz wrote:
On 5/8/23 10:39, Mark Thomas wrote:
<snip/>
The port the client connects to is irrelevant. All that matters is the
host in the request line and the host header.
1. The host header MUST be present
2. If a host is present in the request line it MUST be identical (host
and port) to the host header.
nb the spec says that the URL takes precedence if there is a mismatch,
but when setting allowHostHeaderMismatch="false" (the current default),
then Tomcat is being stricter than the spec.
That is not correct. The two requirements stated above have been RFC
"MUST" requirements since 2014.
RFC 2616 (June 1999) stated that any host in the request line takes
precedence.
RFC 7230 (June 2014) stated that any host in the request line MUST match
the host header although there is also language that suggests they might
be different.
RFC 9112 (June 2022) states that any host in the request line MUST match
the host header.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
