On Wed, 13 Feb 2019, Nicolas Grekas via curl-library wrote:
Does curl validate the ":authority" header of HTTP/2 PUSH_PROMISE frames or
is this left as an "exercise" to implementers?
The RFC says it MUST be validated, so maybe that's already done by default?
Does anyone know?
That's a very good question.
It isn't documented in the libcurl docs for push, which I would be suitable.
I don't think this is a responsibility that should be pushed to the
application. Not only because it isn't documented, but perhaps more
importantly because the spec says so on a protocol level and we shouldn't hand
over that burden to the app if we can avoid I think.
I think it is clear that curl doesn't do the check.
Then the question remains if nghttp2 does the check for us, but browsed around
in that code for a while and I can't say I'm entirely sure of my findings but
I couldn't see that it checked for this. I'm afraid this leaves me unable to
answer the question with absolute certainty for the moment.
Do you have a setup where you can verify if such a "bad" header will be
ignored and be left for the application to check?
--
/ daniel.haxx.se
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
