Re: :scheme, was: consensus on :query ? from Greg Wilkins on 2014-07-24 (ietf-http-wg@w3.org from July to September 2014)

From: Greg Wilkins <gregw@intalio.com>
Date: Thu, 24 Jul 2014 15:15:44 +1000
To: Adrien de Croy <adrien@qbik.com>
Cc: Matthew Kerwin <matthew@kerwin.net.au>, Zhong Yu <zhong.j.yu@gmail.com>, Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAH_y2NFqGFJh_nv+yJydpMUxHgDXY==iTpFKb0vazypDucHAFw@mail.gmail.com>

On 24 July 2014 15:02, Adrien de Croy <adrien@qbik.com> wrote:

> so that when a client sends the http2 equivalent of
>
> GET ftp://ftp.somewhere.com/file /HTTP/1.1
>
> to a proxy, we can do it.
>

That's a reasonable usage.

But distinguishing between http and https is not.   Can't we just not send
the scheme for HTTP and if we do then it should just be http and never
https.      At the very least we should point out that :scheme is not a
trusted value and just because it says https does not mean the request is
secure.

There is plenty of code out that that implements the equivalent of

 boolean isSecure() { return "https".equals(getScheme()); }

https://www.google.com.au/search?q=isSecure+%22https%22.equals+getScheme%28%29

-- 
Greg Wilkins <gregw@intalio.com>
http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales
http://www.webtide.com  advice and support for jetty and cometd.

Received on Thursday, 24 July 2014 05:16:12 UTC