Skip to content

/ go

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http: HTTP/1.1 requests without Host header should be rejected #13624

Closed
CAFxX opened this issue Dec 15, 2015 · 4 comments
Closed

net/http: HTTP/1.1 requests without Host header should be rejected #13624

CAFxX opened this issue Dec 15, 2015 · 4 comments
Assignees
@bradfitz
Labels
FrozenDueToAge
Milestone
Go1.6

Comments

@CAFxX
Copy link
Contributor

@CAFxX CAFxX commented Dec 15, 2015

HTTP/1.1 mandates (both in RFC2616 and RFC7230) that requests lacking a Host header should unconditionally receive a 400 Bad Request response.

https://tools.ietf.org/html/rfc2616#section-14.23
All Internet-based HTTP/1.1 servers MUST respond with a 400 (Bad Request)
status code to any HTTP/1.1 request message which lacks a Host header
field.

https://tools.ietf.org/html/rfc7230#section-5.4
A server MUST respond with a 400 (Bad Request) status code to any
HTTP/1.1 request message that lacks a Host header field and to any
request message that contains more than one Host header field or a
Host header field with an invalid field-value.

Right now Go happily accepts such requests without returning 400: as such it's non-conforming to the RFCs.
@bradfitz bradfitz changed the title HTTP/1.1 requests without Host header should be rejected net/http: HTTP/1.1 requests without Host header should be rejected Dec 15, 2015
@bradfitz bradfitz self-assigned this Dec 15, 2015
@bradfitz

This comment has been minimized.

Sign in to view
Copy link
Contributor

@bradfitz bradfitz commented Dec 15, 2015

I noticed this too recently in the process of working on #11206
@bradfitz bradfitz added this to the Go1.6 milestone Dec 15, 2015
@gopherbot

This comment has been minimized.

Sign in to view
Copy link

@gopherbot gopherbot commented Dec 16, 2015

CL https://golang.org/cl/17892 mentions this issue.
@bradfitz bradfitz closed this in 6e11f45 Dec 16, 2015
@calavera calavera mentioned this issue Mar 23, 2016
Closed
This was referenced Apr 4, 2016
Closed
Closed
This was referenced Apr 13, 2016
Closed
Closed
@lrusak lrusak mentioned this issue May 12, 2016
Merged
@Confusion Confusion mentioned this issue Jul 8, 2016
Closed
@cgcgbcbc

This comment has been minimized.

Sign in to view
Copy link

@cgcgbcbc cgcgbcbc commented Jul 14, 2016

How to accept http 1.0 request then?
@bradfitz

This comment has been minimized.

Sign in to view
Copy link
Contributor

@bradfitz bradfitz commented Jul 14, 2016

@cgcgbcbc, HTTP/1.0 requests don't require Host headers. This bug only applies to HTTP/1.1 requests.
@golang golang locked and limited conversation to collaborators Jul 14, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@bradfitz bradfitz

Labels
FrozenDueToAge
Projects
None yet
Milestone
  Go1.6
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
@CAFxX @bradfitz @gopherbot @cgcgbcbc
You can’t perform that action at this time.