RFR: 8354276: Strict HTTP header validation [v6]

[Jaikiran Pai]

On Tue, 29 Apr 2025 15:40:20 GMT, Daniel Jeliński <djelinski at openjdk.org> wrote:

>> RFC 9113 HTTP/2 mandates certain validation for HTTP headers; the HttpClient don't fully implement the described requirements.
>> 
>> This PR adds the following validation:
>> - pseudo-headers defined for requests are rejected in responses and push streams
>> - pseudo-headers defined for responses are rejected in push promises
>> - connection headers are rejected in responses and push streams
>> 
>> Connection headers are still accepted in push promises; that's because some popular server implementations were found to echo the request headers in push promises, and when the original request was a HTTP/1 upgrade, the push promise could contain one or more headers that were prohibited in HTTP/2 but allowed in HTTP/1.
>> 
>> An existing test was adapted to verify the handling of response headers. The modified test passes with this the changes in this PR, fails without them. Other tier1-3 tests continue to pass.
>
> Daniel Jeliński has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Migrate to HttpServerAdapters

test/jdk/java/net/httpclient/http2/BadPushPromiseTest.java line 87:

> 85:         int port = server.getAddress().getPort();
> 86:         System.err.println("Server listening on port " + port);
> 87:         uri = new URI("http://localhost:" + port + "/foo/a/b/c");

Hello Daniel, I think we should avoid `localhost` usage here and instead use `URIBuilder` test library util and then pass it  `InetAddress.getLoopbackAddress()` as the host. That should help avoid issues related to `localhost` being mapped to some other address and at the same time allow constructing the right URL when `InetAddress.getLoopbackAddress()` returns an IPv6 address.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/24569#discussion_r2068156334