RFR: 8292876: Do not include the deprecated userinfo component of the URI in HTTP/2 headers [v5]
Daniel Fuchs
dfuchs at openjdk.org
Tue Oct 11 13:39:17 UTC 2022
On Tue, 11 Oct 2022 13:12:06 GMT, Daniel Fuchs <dfuchs at openjdk.org> wrote:
>>> Hello Darragh, the RFC-7540 https://www.rfc-editor.org/rfc/rfc7540.html#section-8.1.2.3 states:
>>
>>
>> FWIW, RFC 7540 is now irrelevant; see https://www.rfc-editor.org/rfc/rfc9113.html instead
>
>> Should we be doing something similar here while constructing the authority header, to be consistent?
>
> Well https://www.rfc-editor.org/rfc/rfc9113.html#name-simple-request has an example where authority doesn't have the port - so I don't think we need to add it. FWIW the HTTP/1.1 code seems to be *removing* the port when it's the default one. Probably for normalization of the host string?
> So it has specific text about the scheme being "http" or "https". Should we add a check here to check the scheme, before creating this authority header with just the host:port?
I don't see how we could reach here if the scheme isn't "http" or "https". Do you have anything in mind Jaikiran? Oh websocket - I see. We don't support websocket over HTTP/2. We could possibly in the future, and if we did, we probably still wouldn't want to send the user-info in the upgrade request?
-------------
PR: https://git.openjdk.org/jdk/pull/10592
More information about the net-dev
mailing list