2

I am using System.Net.HttpClient in a client application and needing to PUT to a third party service I have no control over. The third party service gives responses such as:

Date: Wed, 04 Jun 2025 20:38:32 GMT
Server: Apache
X-LL-Request-Id: aECuyNDHz8BcYDvfmg9JCgAAATk
Content-Type: application/llsd+xml
Content-Length: 65859
Content-Location: slcap://InventoryAPIv3/category/1854a12a-d07f-bb17-a00c-82b739b05698/links
Location: slcap://InventoryAPIv3/category/1854a12a-d07f-bb17-a00c-82b739b05698/links
Vary: Accept,Accept-Encoding,X-Untrusted-Path,X-Untrusted-Query
Access-Control-Allow-Origin: *

Note the Location and Content-Location fields have an slcap:// protocol. These fields are also not important for my purposes at this time.

However, when I call HttpClient.PutAsync(uri, content, ct) the response I get throws an exception:

System.ArgumentException
  HResult=0x80070057
  Message=Only 'http' and 'https' schemes are allowed.
Parameter name: value
  Source=System.Net.Http
  StackTrace:
   at System.Net.Http.HttpRequestMessage.set_RequestUri(Uri value)
   at System.Net.Http.HttpClientHandler.CreateResponseMessage(HttpWebResponse webResponse, HttpRequestMessage request)
   at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)

This is due to HttpRequestMethod copying the response Location into a new request:

request.RequestUri = webResponse.ResponseUri

Which validates the RequestUri:

if (value != null && value.IsAbsoluteUri && !HttpUtilities.IsHttpUri(value))
{
    throw new ArgumentException(SR.net_http_client_http_baseaddress_required, "value");

My question is what is the best way to mitigate this in .NET Framework? It only seems to happen on PUT requests.

Improve this question
7
  • A PUT means you are sending data to the third party server. You are getting a response which is normally a GET. The responses you are getting are HTTP Headers which details of the data sent and are not part of the message body. The response of a PUT the body is normally empty. Commented Jun 5 at 15:58
  • Which exact build of .NET is this? Commented Jun 5 at 16:06
  • 1
    @Charlieface Interesting! So the best case would be just to finally get this old dinosaur off .NET Framework. Commented Jun 5 at 16:50
  • 2
    Since .NET Framework is still supported by Microsoft, you might have luck reporting this as an issue to the .NET dev team. But it probably won't be fixed on the timeline you need. Commented Jun 5 at 17:15
  • 1
    @jdweng There is nothing invalid about that Location URI, a custom schema is perfectly within spec. It's simply .NET Framework over-validating it. Commented Jun 6 at 8:36

1 Answer 1

Reset to default
2

It looks like it's specifically a .NET Framework issue. You can see the specific validation code for the URI in the source code here.

public Uri RequestUri
{
    get { return requestUri; }
    set
    {
        if ((value != null) && (value.IsAbsoluteUri) && (!HttpUtilities.IsHttpUri(value)))
        {
            throw new ArgumentException(SR.net_http_client_http_baseaddress_required, "value");
        }
        CheckDisposed();

        // It's OK to set 'null'. HttpClient will add the 'BaseAddress'. If there is no 'BaseAddress'
        // sending this message will throw.
        requestUri = value;
    }
}

But .NET Core onwards doesn't validate the URI, see here.

public Uri? RequestUri
{
    get { return _requestUri; }
    set
    {
        CheckDisposed();
        _requestUri = value;
    }
}

I can't suggest anything other than to either fall back to the old HttpWebRequest (which only validates the Location URI on redirects), or to upgrade to .NET 8+.

You can try filing a bug for .NET Framework, but it's basically out to pasture now, and only really gets security fixes.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.