- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Mon, 10 Oct 2016 15:55:17 +1100
- To: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
- Cc: Mike Bishop <Michael.Bishop@microsoft.com>, HTTP working group mailing list <ietf-http-wg@w3.org>, Patrick McManus <mcmanus@ducksong.com>
On 10 October 2016 at 15:45, Kari Hurtta <hurtta-ietf@elmme-mailer.org> wrote: > After one "https" reguest that apply: > > | clients MUST NOT send "http" requests on a > | connection that has previously been used for "https" requests, The point of this is to cover off any problems that might arise from connection reuse. It's clumsy. I think that it should be reworded: clients MUST NOT send "http" requests on a connection that would ordinarily be used for "https" requests unless the http-opportunistic origin object [...] If scheme is determined on the first request and that causes this check to pass, then we're going to get false positives. Remember: we're incapable of detecting all cases where the server decides to do crazy things - I'm sure that I can devise a server architecture that will fail for any solution we devise - we have to instead take steps that we think are reasonable.
Received on Monday, 10 October 2016 04:55:47 UTC