[freeone3000]

It’s a good thing we have RFCs! For duplicate Host, you MUST respond with a 400. If the Host is different than the authority, Host must be ignored. If Host is not specified, it must be provided to upstream. See “Host” in RFC 7230:

https://www.rfc-editor.org/rfc/rfc7230#section-5.4

[ranger_danger]

it's a good thing all RFCs are 100% specified with no ambiguities.

EDIT: Sorry I dropped my /s. I was only trying to say that unfortunately not all RFCs are sufficiently specified... and that I think saying "good thing we have RFCs" should not imply they will all be sufficiently specified, which is how I interpreted their comment... and didn't feel like typing all this out, but I guess it was necessary anyway.

[necovek]

That's a very weird take as a reply on a bit that is sufficiently specified.

[ranger_danger]

Sorry, what I was implying is that "It’s a good thing we have RFCs" doesn't mean that they ARE always sufficiently specified... even if this one is.

[necovek]

I understand that: the problem is that in this example, it is, so the problem is obviously somewhere else — that's what we should explore.

Is it just that the RFC has not been read properly? Maybe, but even if it was, I do not think having precisely defined behaviour in RFCs is sufficient: real world implementations have to be more flexible due to other buggy implementations they interact with.

[pixl97]

I mean, I was pointing out one in a chain of security failures reverse proxies have had. I could probably point out 20-30 other ones that have cropped up. Adding the binary complexity to H2 has really increased the number of these coming.