Re: :scheme, was: consensus on :query ? from Greg Wilkins on 2014-07-25 (ietf-http-wg@w3.org from July to September 2014)

From: Greg Wilkins <gregw@intalio.com>
Date: Fri, 25 Jul 2014 10:48:21 +1000
To: Patrick McManus <mcmanus@ducksong.com>
Cc: Matthew Kerwin <matthew@kerwin.net.au>, Adrien de Croy <adrien@qbik.com>, Zhong Yu <zhong.j.yu@gmail.com>, Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAH_y2NEOk7oakVMFU1-_PSndhFAtAoNzN0TE3+nsS8pTdMJ3+g@mail.gmail.com>

On 24 July 2014 23:32, Patrick McManus <mcmanus@ducksong.com> wrote:

> But just as you check the security context against the :path, you also
> check the security context against :scheme.. and sure, receiving https
> without tls is something 7230 says is an error. I think 6455 says the same
> thing about wss. However just because TLS is present doesn't mean https is
> the only acceptable scheme.


OK that makes sense.  I'll take this to the servlet expert group as I think
we should require that isSecure does more than check the scheme and makes
some effort to check context.

cheers



-- 
Greg Wilkins <gregw@intalio.com>
http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales
http://www.webtide.com  advice and support for jetty and cometd.

Received on Friday, 25 July 2014 00:48:49 UTC