- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Tue, 1 Nov 2016 16:54:29 +1100
- To: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
- Cc: Mark Nottingham <mnot@mnot.net>, HTTP working group mailing list <ietf-http-wg@w3.org>
On 1 November 2016 at 16:25, Kari Hurtta <hurtta-ietf@elmme-mailer.org> wrote: > That may be good idea. (This spec requires scheme and http/1.1 spec does not > allow scheme to be used. ) I have tried to capture this information in a PR: https://github.com/httpwg/http-extensions/pull/257 > | | TBD1 | Scheme Not Allowed | Section 2.2 | We can probably avoid doing that on the basis that we have 421. > | | TBD2 | Scheme Required | Section 2.1 | The case for this seems weak. You have to have a resource that is only available on the cleartext version of the site, and you have to use opp-sec, and the client has to be very silly. I would prefer to use 404 here. That is, assume that the client asked for a secure resource (https://example.com/http-only) which doesn't exist; rather than asking for the unsecured resource (http://example.com/http-only) which might.
Received on Tuesday, 1 November 2016 05:55:02 UTC