Downgrade FRAGMENT-IN-TARGET from MUST to SHOULD (warn_on_2xx)

Fragment (#) is absent from origin-form grammar but RFC 9112 §3 only
says SHOULD reject invalid request-lines. Servers that strip the
fragment and return 2xx are not violating a mandatory requirement.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: MDA2AV

docs/content/docs/request-line/fragment-in-target.md

@@ -10,30 +10,43 @@ weight: 3
 | **Category** | Compliance |
 | **RFC** | [RFC 9112 Section 3.2](https://www.rfc-editor.org/rfc/rfc9112#section-3.2) |
 | **Requirement** | SHOULD |
-| **Expected** | `400` or close |
+| **Expected** | `400` = Pass; `2xx` = Warn |
 
 ## What it sends
 
-A request with a fragment identifier in the URI: `GET /path#fragment HTTP/1.1`.
+A request with a fragment identifier in the URI: `GET /path#frag HTTP/1.1`.
 
 ```http
 GET /path#frag HTTP/1.1\r\n
 Host: localhost:8080\r\n
 \r\n
 ```
 
-
 ## What the RFC says
 
-The origin-form of request-target is `absolute-path [ "?" query ]`. There is no fragment component. A fragment identifier (`#...`) does not appear in any valid request-target form.
+The origin-form of request-target is defined as:
+
+```
+origin-form = absolute-path [ "?" query ]
+```
+
+There is no fragment component in this grammar. The `#` character and anything after it are not part of any valid request-target form (origin-form, absolute-form, authority-form, or asterisk-form).
+
+Since the request-line doesn't match any valid form, it is an invalid request-line:
 
-> "Recipients of an invalid request-line **SHOULD** respond with either a 400 (Bad Request) error..." — RFC 9112 Section 3
+> "Recipients of an invalid request-line **SHOULD** respond with either a 400 (Bad Request) error or a 301 (Moved Permanently) redirect..." — RFC 9112 Section 3
+
+This is a **SHOULD**, not a MUST — servers that strip the fragment and process the path are not violating a mandatory requirement.
 
 ## Why it matters
 
-Fragments are a client-side concept (they reference a position within a document). They should never appear on the wire. A server that silently strips fragments may process a different resource than what the client intended.
+Fragments are a client-side concept used to reference a position within a document. They should never appear on the wire. A server that silently strips fragments may process a different resource than what the client intended, though the practical security risk is low.
+
+**Pass:** Server rejects with `400` (strict parsing).
+**Warn:** Server returns `2xx` (likely strips the fragment and processes `/path`).
 
 ## Sources
 
 - [RFC 9112 Section 3.2 — origin-form](https://www.rfc-editor.org/rfc/rfc9112#section-3.2)
+- [RFC 9112 Section 3 — Request Line](https://www.rfc-editor.org/rfc/rfc9112#section-3)
 - [RFC 9110 Section 4.1 — URI References](https://www.rfc-editor.org/rfc/rfc9110#section-4.1)

src/Http11Probe/TestCases/Suites/ComplianceSuite.cs

@@ -175,14 +175,24 @@ public static IEnumerable<TestCase> GetTestCases()
         yield return new TestCase
         {
             Id = "RFC9112-3.2-FRAGMENT-IN-TARGET",
-            Description = "Fragment (#) in request-target must be rejected",
+            Description = "Fragment (#) in request-target — not part of origin-form grammar",
             Category = TestCategory.Compliance,
             RfcReference = "RFC 9112 §3.2",
             PayloadFactory = ctx => MakeRequest($"GET /path#frag HTTP/1.1\r\nHost: {ctx.HostHeader}\r\n\r\n"),
             Expected = new ExpectedBehavior
             {
-                ExpectedStatus = StatusCodeRange.Exact(400),
-                AllowConnectionClose = true
+                Description = "400 or 2xx",
+                CustomValidator = (response, state) =>
+                {
+                    if (response is null)
+                        return state == ConnectionState.ClosedByServer ? TestVerdict.Pass : TestVerdict.Fail;
+                    if (response.StatusCode == 400)
+                        return TestVerdict.Pass;
+                    // Fragment not in origin-form grammar, but RFC only says SHOULD reject invalid request-line
+                    if (response.StatusCode is >= 200 and < 300)
+                        return TestVerdict.Warn;
+                    return TestVerdict.Fail;
+                }
             }
         };