What does "deceptive request routing" mean in the new HTTP spec (RFC 7231)?

Question

In RFC 2616, the 400 response code was for syntax errors.

The request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications.

RFC 7231 broadens the applicability of 400. The spec gives a few other examples of client errors, but I'm not sure what they mean.

The 400 (Bad Request) status code indicates that the server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).

In particular, what would constitute "deceptive request routing"?

Answer 1

As one example, this could be relevant for a CDN. See RFC 3568.

Section 4.1.2 stands out to me:

This technique involves the task of using HTTP [4] such as Cookie, Language, and User-Agent, in order to select a surrogate. In [20] some examples of using this technique are provided.

The relevancy of the cited example ("deceptive request routing") comes in when a system relies on information including custom HTTP headers for decision making. When such a header is absent, stale, incorrect, or otherwise not processable. As as general rule, anything malformed or "wrong" coming from the public Internet can safely be assumed malicious (or "deceptive").

---

Another example: someone Man-In-The-Middles my uplink and hijacks my session cookie. Tries to access the site with that cookie, but all of a sudden the system sees requests with the same token coming from two different IP addresses.