7230 5.4 says:

If the target URI includes an authority component, then a client MUST send a field-value for Host that is identical to that authority component, excluding any userinfo subcomponent and its "@" delimiter (Section 2.7.1).

However, the requirements upon a server receiving a request with a mismatching authority component and Host header are not clearly stated.

Below, it says:

A server MUST respond with a 400 (Bad Request) status code to any HTTP/1.1 request message that lacks a Host header field and to any request message that contains more than one Host header field or a Host header field with an invalid field-value.

However, a mismatching field-value is not clearly labeled to be invalid.

The waters are further muddied by7230 section 5.5:

If the request-target is in absolute-form, the effective request URI is the same as the request-target. Otherwise, the effective request URI is constructed as follows...

... which I've seen people interpret as "the absolute form takes precedence over the Host header."

I think we need to:

• clarify server behaviour when receiving mismatching absolute form and host header (i.e., tweaking the language around "invalid")
• modify the beginning of 5.5 to remove the impression outlined above