- From: Stefan Eissing <stefan.eissing@greenbytes.de>
- Date: Fri, 7 Oct 2016 09:24:26 +0200
- To: Mike Bishop <Michael.Bishop@microsoft.com>
- Cc: Martin Thomson <martin.thomson@gmail.com>, Kari Hurtta <hurtta-ietf@elmme-mailer.org>, McManus Patrick <mcmanus@ducksong.com>, HTTP working group mailing list <ietf-http-wg@w3.org>
> Am 06.10.2016 um 20:12 schrieb Mike Bishop <Michael.Bishop@microsoft.com>: > > """ > Before using a secure alternative for an http:// origin, a client MUST first request /.well-known/http-opportunistic at that origin. If this resource exists and a not-stale 2xx response is obtained, then requests for the origin MAY be directed toward the secure alternative. > The contents of this resource do not matter. If multiple http:// origins are coalesced onto the same connection to a secure alternative, a client MUST obtain an http-opportunistic resource from each origin separately. > """ +1 I like this because it avoids the hop-by-hop problem of a SETTING where it is the origin server's responsibility to get it right. And, as Martin noted, Alt-Svc headers are a possible angle of attack if clients have no other means to verify the server capability. -Stefan
Received on Friday, 7 October 2016 07:24:57 UTC