Re: Sec-Scheme request header? from Mike West on 2016-04-13 (ietf-http-wg@w3.org from April to June 2016)

From: Mike West <mkwst@google.com>
Date: Wed, 13 Apr 2016 09:54:36 +0200
To: Mark Nottingham <mnot@mnot.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAKXHy=f=499HWYurEsTodjrJr6rR7DBkcFiVwmJGE0ogYFPAaQ@mail.gmail.com>

On Wed, Apr 13, 2016 at 9:50 AM, Mark Nottingham <mnot@mnot.net> wrote:

> At the WG meeting in B-A, I tangentially wondered aloud about whether we
> should define a header in the form:
>
> Sec-Scheme: https
>
> Because it's prefixed with `Sec-`, browsers won't allow its modification
> (e.g., in XHR), so its value is relatively trustworthy from browser clients.
>
> Because it's a header, rather than a pseudo-header (like :scheme), it's
> "end to end" -- it gets exposed to the application (e.g., through PHP, CGI,
> whatever) via standard APIs. As such, it's much more realistic to consume.
>
> What do people think -- would such a thing be useful?
>

Could you explain the use-case? Ctrl+F in
https://github.com/httpwg/wg-materials/blob/gh-pages/ietf95/minutes.md came
up empty, so context would be helpful. :)

-mike

Received on Wednesday, 13 April 2016 07:55:25 UTC