RFR: 8292876: Do not include the deprecated userinfo component of the URI in HTTP/2 headers [v5]
Jaikiran Pai
jpai at openjdk.org
Thu Oct 13 05:21:10 UTC 2022
On Thu, 13 Oct 2022 05:15:13 GMT, Jaikiran Pai <jpai at openjdk.org> wrote:
>>> So it has specific text about the scheme being "http" or "https". Should we add a check here to check the scheme, before creating this authority header with just the host:port?
>>
>> I don't see how we could reach here if the scheme isn't "http" or "https". Do you have anything in mind Jaikiran? Oh websocket - I see. We don't support websocket over HTTP/2. We could possibly in the future, and if we did, we probably still wouldn't want to send the user-info in the upgrade request?
>
>> > Should we be doing something similar here while constructing the authority header, to be consistent?
>>
>> Well https://www.rfc-editor.org/rfc/rfc9113.html#name-simple-request has an example where authority doesn't have the port - so I don't think we need to add it. FWIW the HTTP/1.1 code seems to be _removing_ the port when it's the default one. Probably for normalization of the host string?
>
> Hello Daniel, you are right - the HTTP/1.1 code is removing the port for default ports. I agree - it's fine to leave this new code in the current form here, without trying to match what's in HTTP/1.1 code.
> Oh websocket - I see. We don't support websocket over HTTP/2. We could possibly in the future, and if we did, we probably still wouldn't want to send the user-info in the upgrade request?
The current state of this new code is fine. I was only checking if there's a chance that any other scheme other than http or https could reach here. Based on what you confirmed, I think this is fine in the current form.
-------------
PR: https://git.openjdk.org/jdk/pull/10592
More information about the net-dev
mailing list