Return-Path: 
 <dev-return-44017-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: (qmail 56523 invoked from network); 13 Sep 2004 22:31:07 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur-2.apache.org with SMTP; 13 Sep 2004 22:31:07 -0000
Received: (qmail 58961 invoked by uid 500); 13 Sep 2004 22:31:01 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 58913 invoked by uid 500); 13 Sep 2004 22:31:01 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
list-post: <mailto:dev@httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 58900 invoked by uid 99); 13 Sep 2004 22:31:01 -0000
X-ASF-Spam-Status: No, hits=0.0 required=10.0
	tests=
X-Spam-Check-By: apache.org
Received-SPF: neutral (hermes.apache.org: local policy)
Received: from [212.249.34.130] (HELO picanmix.dev.day.com) (212.249.34.130)
  by apache.org (qpsmtpd/0.28) with ESMTP; Mon, 13 Sep 2004 15:30:59 -0700
Received: from eu-mail.day.com (eu-mail.dev.day.com [10.0.0.30])
        by picanmix.dev.day.com (DAY) with ESMTP id i8DMUte07189
        for <dev@httpd.apache.org>; Tue, 14 Sep 2004 00:30:55 +0200 (MEST)
Received: from [10.2.8.57] ([10.2.8.57])
          by eu-mail.day.com (Lotus Domino Release 5.0.8)
          with ESMTP id 2004091400294607:160676 ;
          Tue, 14 Sep 2004 00:29:46 +0200
Mime-Version: 1.0 (Apple Message framework v619)
In-Reply-To: <1095089455.1433.38.camel@theoria>
References: <1095089455.1433.38.camel@theoria>
Message-Id: <6A8E9233-05D4-11D9-9FE3-000393753936@gbiv.com>
From: "Roy T. Fielding" <fielding@gbiv.com>
Subject: Re: multiple host headers
Date: Mon, 13 Sep 2004 15:29:46 -0700
To: dev@httpd.apache.org
X-Mailer: Apple Mail (2.619)
X-MIMETrack: Itemize by SMTP Server on eu-mail/Day(Release 5.0.8 |June 18,
 2001) at 09/14/2004
 12:29:46 AM,
	Serialize by Router on eu-mail/Day(Release 5.0.8 |June 18,
 2001) at 09/14/2004
 12:30:55 AM,
	Serialize complete at 09/14/2004 12:30:55 AM
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII; format=flowed
X-Virus-Checked: Checked
X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N

> Why do we merge multiple Host headers?  I am getting wierd things like
> this for headers_in host: "www.cnn.com, www.cnn.com"
>
> This may be correct, but it caught me by surprise!

Well, it is an invalid HTTP request.  The question is, should be
"fix" it for the client by choosing either the first or last field
(potentially masking a security hole), or simply respond with 400?

What is the user agent?

....Roy