net/http: HTTP/1.1 requests without Host header should be rejected

[CAFxX]

HTTP/1.1 mandates (both in RFC2616 and RFC7230) that requests lacking a Host header should unconditionally receive a 400 Bad Request response.

https://tools.ietf.org/html/rfc2616#section-14.23
All Internet-based HTTP/1.1 servers MUST respond with a 400 (Bad Request)
status code to any HTTP/1.1 request message which lacks a Host header
field.

https://tools.ietf.org/html/rfc7230#section-5.4
A server MUST respond with a 400 (Bad Request) status code to any
HTTP/1.1 request message that lacks a Host header field and to any
request message that contains more than one Host header field or a
Host header field with an invalid field-value.

Right now Go happily accepts such requests without returning 400: as such it's non-conforming to the RFCs.

[bradfitz]

I noticed this too recently in the process of working on #11206

[gopherbot]

CL https://golang.org/cl/17892 mentions this issue.

[cgcgbcbc]

How to accept http 1.0 request then?

[bradfitz]

@cgcgbcbc, HTTP/1.0 requests don't require Host headers. This bug only applies to HTTP/1.1 requests.