Re: Op-sec simplification from Patrick McManus on 2016-11-01 (ietf-http-wg@w3.org from October to December 2016)

From: Patrick McManus <mcmanus@ducksong.com>
Date: Mon, 31 Oct 2016 20:36:55 -0400
To: Mark Nottingham <mnot@mnot.net>
Cc: Mike Bishop <Michael.Bishop@microsoft.com>, Martin Thomson <martin.thomson@gmail.com>, Kari Hurtta <hurtta-ietf@elmme-mailer.org>, HTTP working group mailing list <ietf-http-wg@w3.org>
Message-ID: <CAOdDvNrvkYXTi3WkDG79Dqt0Nd4Q5q97b40BoVjeMGV39JFeTg@mail.gmail.com>

or we just punt the legacy h1 cases away. I'm not aware of anyone doing an
experiment with them.



On Mon, Oct 31, 2016 at 7:25 PM, Mark Nottingham <mnot@mnot.net> wrote:

> Yes. What I meant was whether the opp-sec spec is writing in an implicit
> requirement to assure that it was absolute (for that request).
>
>
> > On 1 Nov. 2016, at 10:24 am, Mike Bishop <Michael.Bishop@microsoft.com>
> wrote:
> >
> > There's an explicit requirement in RFC 7230 for servers to accept it:
> >>  To allow for transition to the absolute-form for all requests in some
> >>  future version of HTTP, a server MUST accept the absolute-form in
> >>  requests, even though HTTP/1.1 clients will only send them in
> >>  requests to proxies.
> >
> > -----Original Message-----
> > From: Mark Nottingham [mailto:mnot@mnot.net]
> > Sent: Monday, October 31, 2016 4:17 PM
> > To: Martin Thomson <martin.thomson@gmail.com>
> > Cc: Kari Hurtta <hurtta-ietf@elmme-mailer.org>; HTTP working group
> mailing list <ietf-http-wg@w3.org>
> > Subject: Re: Op-sec simplification
> >
> >
> >> On 1 Nov. 2016, at 10:15 am, Martin Thomson <martin.thomson@gmail.com>
> wrote:
> >>
> >> On 1 November 2016 at 09:41, Mark Nottingham <mnot@mnot.net> wrote:
> >>> Hold on -- are we layering in a new requirement to use the absolute
> form of the URL?
> >>
> >> I don't know how we carry the scheme any other way.  We might try to
> >> weasel this as being not "directly" to the origin server.
> >>
> >> Maybe I should point out that this is in contradiction to that section.
> >
> > I suspect someone with a process bent will say that it needs to update
> 7230, and having an experimental doc update a standards track one might
> be... interesting. I suppose if we have consensus to do it, it might work.
> >
> >
> >> (FWIW, the servers I'm aware of all handle absolute URIs well enough.)
> >
> > Is there an implicit requirement for them to check that it was absolute?
> >
> > --
> > Mark Nottingham   https://www.mnot.net/
> >
> >
>
> --
> Mark Nottingham   https://www.mnot.net/
>
>
>

Received on Tuesday, 1 November 2016 00:37:29 UTC