- From: Erik Nygren <erik@nygren.org>
- Date: Thu, 24 Jul 2014 14:53:12 -0400
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: Greg Wilkins <gregw@intalio.com>, Matthew Kerwin <matthew@kerwin.net.au>, Adrien de Croy <adrien@qbik.com>, Zhong Yu <zhong.j.yu@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
I think the requirement is that http-scheme-over-TLS must only be done in a way where the client and server agree on the scheme in a way that works hop-by-hop and also works with legacy clients. In http/2 the :scheme makes this clear. In prior versions (eg, http/1.1) it's not clear there's a sane way (eg, new headers) that unaware intermediaries can't be made confused by an adversary on the client or server side? On Thu, Jul 24, 2014 at 2:33 PM, Martin Thomson <martin.thomson@gmail.com> wrote: > On 24 July 2014 11:21, Erik Nygren <erik@nygren.org> wrote: >> I'd been under the assumption that http-scheme-over-TLS would only be >> allowed over HTTP/2? > > I'll open that issue. We currently have no explicit restriction that > prevents this. I don't think that we have any reason to say > HTTP/2-only. I also don't think that we need a specific exclusion for > HTTP/1.1, which is the other way we might cut this (so that we could > retain the feature for some theorized HTTP/5, which may or may not be > in active development for some major browser). > > That said, Mozilla doesn't plan to use oppsec for HTTP/1.1, at least > in the short to medium term.
Received on Thursday, 24 July 2014 18:53:39 UTC