If it helps, this came up as an important corner-case during implementation / detailed-design of a server-side implementation. On Tue, May 31, 2016 at 10:06 PM, Martin Thomson <martin.thomson@gmail.com> wrote: > This is reasonable. A boolean `mixed-scheme` member that has to be > true seems appropriate. It's cheap enough to warrant doing. > > On 1 June 2016 at 11:10, Mark Nottingham <mnot@mnot.net> wrote: > > What do other folks think? > > > > > >> On 1 Jun 2016, at 8:31 AM, Erik Nygren <erik@nygren.org> wrote: > >> > >> Filed for the opp-sec draft where this is most relevant: > >> > >> https://github.com/httpwg/http-extensions/issues/188 > >> > >> In particular, mixing of secure and insecure schemes should require > server-side opt-in over a strongly authenticated channel. (eg, an > attribute of /.well-known/http-opportunistic with properties similar to > "commit" as for where it can be set). >
Received on Wednesday, 1 June 2016 15:19:16 UTC