Description
h11 in client mode refuses to let you send a Host: header with an embedded newline, which protects against some of the attacks they're talking about. (This apparently distinguishes us from every Python HTTP library they studied.)
Do we validate outgoing request targets? (The / part in GET /?)
Is there anything else in there that's in scope for us? We certainly can't do anything about SNI. We don't actually deal with URLs, though I have been thinking that we should perhaps do more validation of incoming request targets in the rare case where there's something useful to validate (like checking that the authority if given matches the Host:).
The IDNA stuff is definitely not in scope for h11, but I'll note in passing that I'm confused: their table doesn't match the behavior of the idna module at all. The "uts46" column matches what you see with uts46=True, transitional=True (which is a mode that UTS-46 tries hard to dissuade you from using -- they want you to use uts46=True, transitional=False). If you use uts46=True, transitional=False, then the circled letters one gives google.com but the \u200D one is an error and baß.de gives xn--ba-hia.de. And if you use pure IDNA2008 (which literally nobody does, it errors out on capital letters), then the \u200D one still gives an error.