W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2016

Re: 2.2. Interaction with "https" URIs | Re: SETTINGS_MIXED_SCHEME_PERMITTED | Re: I-D Action: draft-ietf-httpbis-http2-encryption-07.txt

From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 10 Oct 2016 15:55:17 +1100
Message-ID: <CABkgnnUBc9R+m9EwwuP000Cf2XMcS4Z+OWbV-Lcc=8n3GEAgLg@mail.gmail.com>
To: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
Cc: Mike Bishop <Michael.Bishop@microsoft.com>, HTTP working group mailing list <ietf-http-wg@w3.org>, Patrick McManus <mcmanus@ducksong.com>
On 10 October 2016 at 15:45, Kari Hurtta <hurtta-ietf@elmme-mailer.org> wrote:
> After one "https" reguest that apply:
>
> |                            clients MUST NOT send "http" requests on a
> |    connection that has previously been used for "https" requests,

The point of this is to cover off any problems that might arise from
connection reuse.  It's clumsy.  I think that it should be reworded:
clients MUST NOT send "http" requests on a connection that would
ordinarily be used for "https" requests unless the http-opportunistic
origin object [...]

If scheme is determined on the first request and that causes this
check to pass, then we're going to get false positives.  Remember:
we're incapable of detecting all cases where the server decides to do
crazy things - I'm sure that I can devise a server architecture that
will fail for any solution we devise - we have to instead take steps
that we think are reasonable.
Received on Monday, 10 October 2016 04:55:47 UTC

This archive was generated by hypermail 2.3.1 : Monday, 10 October 2016 04:55:51 UTC