W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2016

Re: SETTINGS_MIXED_SCHEME_PERMITTED | Re: I-D Action: draft-ietf-httpbis-http2-encryption-07.txt

From: Stefan Eissing <stefan.eissing@greenbytes.de>
Date: Fri, 7 Oct 2016 09:24:26 +0200
Cc: Martin Thomson <martin.thomson@gmail.com>, Kari Hurtta <hurtta-ietf@elmme-mailer.org>, McManus Patrick <mcmanus@ducksong.com>, HTTP working group mailing list <ietf-http-wg@w3.org>
Message-Id: <01830E0E-37BD-4144-981E-99E82D7CDEE5@greenbytes.de>
To: Mike Bishop <Michael.Bishop@microsoft.com>

> Am 06.10.2016 um 20:12 schrieb Mike Bishop <Michael.Bishop@microsoft.com>:
> """
> Before using a secure alternative for an http:// origin, a client MUST first request /.well-known/http-opportunistic at that origin.  If this resource exists and a not-stale 2xx response is obtained, then requests for the origin MAY be directed toward the secure alternative.
> The contents of this resource do not matter.  If multiple http:// origins are coalesced onto the same connection to a secure alternative, a client MUST obtain an http-opportunistic resource from each origin separately.
> """


I like this because it avoids the hop-by-hop problem of a SETTING where it is the origin server's responsibility to get it right. And, as Martin noted, Alt-Svc headers are a possible angle of attack if clients have no other means to verify the server capability.

Received on Friday, 7 October 2016 07:24:57 UTC

This archive was generated by hypermail 2.3.1 : Friday, 7 October 2016 07:24:58 UTC