W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: :scheme, was: consensus on :query ?

From: Roy T. Fielding <fielding@gbiv.com>
Date: Thu, 24 Jul 2014 10:12:26 -0700
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <75A972C2-BD33-4D3D-BADF-D307BAEF5B6A@gbiv.com>
To: Greg Wilkins <gregw@intalio.com>
On Jul 23, 2014, at 10:15 PM, Greg Wilkins wrote:
> On 24 July 2014 15:02, Adrien de Croy <adrien@qbik.com> wrote:
> so that when a client sends the http2 equivalent of
>  
> GET ftp://ftp.somewhere.com/file /HTTP/1.1
>  
> to a proxy, we can do it.
> 
> That's a reasonable usage.
> 
> But distinguishing between http and https is not.   Can't we just not send the scheme for HTTP and if we do then it should just be http and never https.      At the very least we should point out that :scheme is not a trusted value and just because it says https does not mean the request is secure.

Actually, people use many different schemes to access HTTP services.
You don't see them because it can't be communicated yet.

> There is plenty of code out that that implements the equivalent of 
> 
>  boolean isSecure() { return "https".equals(getScheme()); }

Yep, and they are all guesses.  It doesn't actually work in all cases,
but there is no alternative in HTTP/1.  It would be a shame not to fix a
known bug in HTTP/1.

....Roy
Received on Thursday, 24 July 2014 17:12:52 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:09 UTC