Safari-based browsers do not support HTTP Status 421 Misdirected request

Number:rdar://FB7745565 Date Originated:
Status:Open Resolved:
Product:Safari Product Version:13.1.1
Classification: Reproducible:
Use standard HTTP server virtual hosting to host more than one website on the same IP address. Set up TLS and serve both sites with the same wildcard certificate. In whatever way your HTTP server supports, bind the TLS server name to the HTTP virtual host name.

In the example in the quicktime, I have set up:

All of these are served with the wildcard certificate for * At the TLS layer, the server name "" only has access to the "" virtual host, not to any of the other three virtual hosts.

If you navigate to "" in Safari, Safari correctly loads the page. If you then navigate to "", Safari will incorrectly re-use the TLS connection it established for "" and request "". Since that virtual host is not configured on the TLS session, the server responds with a 421 Misdirected Request status. Safari does not handle this, and displays a blank page.

As per HTTP/2 RFC 9.1.2 (, the UA MAY retry the 421 status response. Chrome and Firefox browsers both correctly retry in this situation.

This is an information disclosure security bug, since the browser sends the request to the wrong server name. This issue (misdirecting HTTPS requests to the wrong hostname) has been published as

This is the same as the issue reported via WebKit, which is associated with rdar://problem/34187588.


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!