W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2010

Re: Same resource exposed over HTTP and HTTPS

From: Henrik Nordström <henrik@henriknordstrom.net>
Date: Wed, 19 May 2010 21:36:26 +0200
To: nathan@webr3.org
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <1274297786.16981.13.camel@localhost.localdomain>
ons 2010-05-19 klockan 15:36 +0100 skrev Nathan:

> I've hit on a scenario where we'd like to identify resource with http 
> scheme URIs; where safe methods are exposed via standard HTTP, whereas 
> unsafe methods (in this case PUT and DELETE) would be exposed via HTTPS.

Content-Location can be used to hint about this. If both http and https
respond with the same https content location then clients will have a
hint that they are the same and also a hint that this location should be
used when updating the resource.

> I'm entirely unsure how to approach this, can find little documentation 
> on doing Upgrade; and am very unsure what it means to PUT to https://.. 
> and GET from http://.

Upgrade isn't used much if at all. Everyone seems quite satisfied with
using explicit https.

Upgrade can be compared to STARTTLS in other protocols if you are
familiar with that.

> The HTTP spec specifies "The PUT method requests that the enclosed 
> entity be stored at the supplied request-target." and under p1 messaging 
> 4.2 "The exact resource identified by an Internet request is determined 
> by examining both the request-target and the Host header field."

Right. There is an unintentional gap there. http != https, but the above
fails to account for that.

Regards
Henrik
Received on Wednesday, 19 May 2010 19:36:56 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:18 GMT