W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2016

Re: SETTINGS_MIXED_SCHEME_PERMITTED | Re: I-D Action: draft-ietf-httpbis-http2-encryption-07.txt

From: Patrick McManus <mcmanus@ducksong.com>
Date: Wed, 5 Oct 2016 10:53:32 +0200
Message-ID: <CAOdDvNpRN_trGi23BpqUxmaLoLvom9+Yiew0GkNkhgwvqw4Bew@mail.gmail.com>
To: Kari Hurtta <khurtta@welho.com>
Cc: Mike Bishop <Michael.Bishop@microsoft.com>, Kari hurtta <hurtta-ietf@elmme-mailer.org>, HTTP working group mailing list <ietf-http-wg@w3.org>
I think I agree with Kari - this is per origin and not per connection..
having implemented the .wk thing I found it pretty workable and the server
side folks liked that this could be done with simply configuration to
reflect origin policy via headers and .wk rather than a protocol extension.

On Wed, Oct 5, 2016 at 6:51 AM, Kari Hurtta <hurtta-ietf@elmme-mailer.org>
wrote:

> Mike Bishop <Michael.Bishop@microsoft.com>: (Tue Oct  4 20:38:45 2016)
>
> > Taking a step back, what is the list of ports actually buying us now?
> The port can be obtained by the client from the Alt-Svc header.  The fact
> that the port is legitimate and not hijacked is verified by finding that it
> has a certificate.  What we're actually confirming is that the origin
> supports mixed schemes.  The lifetime is already present in the Alt-Svc
> advertisement, and I haven't heard a compelling reason to have a separate
> lifetime.  Should we just define SETTINGS_MIXED_SCHEME_PERMITTED and call
> it a day?
>
> Hmm.
>
> SETTINGS_MIXED_SCHEME_PERMITTED is per connection. I assume that HTTP/2
> server sends it on SETTINGS frame to HTTP/2 client (similar than what
> I contemplated for SETTINGS_WEBSOCKET_CAPABLE at
> https://lists.w3.org/Archives/Public/ietf-http-wg/2016OctDec/0033.html )
>
> http-opportunistic response tells here that given port for that
> origin handles http -scheme when sent via TLS.
>
> connection apply probably for several origins. TLS connection
> may be terminated by reverse proxy. And different origins
> are served by different processes or servers behind of
> reverse proxy.
>
> I guess that SETTINGS_MIXED_SCHEME_PERMITTED is too wide.
>
> "tls-ports"  should perhaps now be "mixed-scheme-listeners"
> giving [ "alternative-server:port" ].
>
> / Kari Hurtta
>
>
>
Received on Wednesday, 5 October 2016 08:54:05 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 5 October 2016 08:54:08 UTC