Request Authority checks needed
joakime opened this issue · 0 comments
joakime commented
Jetty version(s)
12.0.12
Jetty Environment
Any
Java version/vendor (use: java -version)
Any
OS type/version
Any
Description
In light of the changes to HttpCompliance in the AuthorityCustomizer PR #12066 it was determined that the request authority checks should occur after the Customizers run, not before.
This would hopefully catch things like missing authority, bad authorities, blank authorities, mismatched authorities.
The various specs and their statements on request authority for us to base this on ...
- https://datatracker.ietf.org/doc/html/rfc9110#name-host-and-authority
- https://datatracker.ietf.org/doc/html/rfc9110#name-establishing-authority
- https://datatracker.ietf.org/doc/html/rfc7540#section-8.1.2.3
- https://datatracker.ietf.org/doc/html/rfc7540#section-8.3
- https://datatracker.ietf.org/doc/html/rfc7540#section-10.1
We should also be aware of authority changes outside of the HTTP protocol (like from Forwarded headers)