- From: 陈智昌 <willchan@chromium.org>
- Date: Wed, 19 Feb 2014 16:32:11 -0800
- To: Thomas Fossati <TFossati@velocix.com>
- Cc: Patrick McManus <pmcmanus@mozilla.com>, Salvatore Loreto <salvatore.loreto@ericsson.com>, HTTP Working Group <ietf-http-wg@w3.org>, "draft-loreto-httpbis-trusted-proxy20@tools.ietf.org" <draft-loreto-httpbis-trusted-proxy20@tools.ietf.org>, GUS BOURG <gb3635@att.com>
On Wed, Feb 19, 2014 at 1:24 PM, Thomas Fossati <TFossati@velocix.com> wrote: > On 19/02/2014 07:37, "William Chan (陈智昌)" <willchan@chromium.org> wrote: >>That said, I still agree >>with Patrick that there doesn't seem any reason to allow >>differentiation of http vs https traffic. If the user agent and origin >>agree to put http traffic over a user-agent<=>origin TLS connection, >>then they should be allowed to do so without having to mark it via >>ALPN. > > As far as I understand, the browser could just decide to use h2 for > everything and thus opt-out completely. I see, if this is just an option, then I'm less concerned. But let's only standardize an option that implementations plan on using. What user agent plans on supporting this? I can't see Chromium doing this. > > The h2clr flag is a hint that the user agent can give to the network. It > allows an on-path proxy to jump in, provide strong identity proof, and (if > explicitly allowed) MITM the user’s http requests sent over HTTP/2.0+TLS. > > Thus, under user consent, the cache/inspection/whatever function for > non-https traffic that used to work with cleartext HTTP/1.x is re-enabled. > Win-win? Users will not grok this prompt for the user consent, so I can't imagine prompting the user in Chromium. I'm curious what other user agent implementers think. > > Cheers >
Received on Thursday, 20 February 2014 00:32:41 UTC