The server MUST include a value in the :authority pseudo-header field for which the server is authoritative (see Section 10.1). A client MUST treat a PUSH_PROMISE for which the server is not authoritative as a stream error (Section 5.4.2) of type PROTOCOL_ERROR.
Right now, libcurl leaves that check for the application without it being documented or explained.
I expected the following
libcurl needs to check the header and reject pushes for non-validated authorities.
The text was updated successfully, but these errors were encountered:
RFC 7540 says we should verify that the push is for an "authoritative"
server. We make sure of this by only allowing push with an :athority
header that matches the host that was asked for in the URL.
Reported-by: Nicolas Grekas