W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2016

Re: Op-sec simplification

From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 1 Nov 2016 16:54:29 +1100
Message-ID: <CABkgnnWDqrn6Oqf62mPBqkp+0t9TvX1rO_Ge27LJW8EKmVjukA@mail.gmail.com>
To: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
Cc: Mark Nottingham <mnot@mnot.net>, HTTP working group mailing list <ietf-http-wg@w3.org>
On 1 November 2016 at 16:25, Kari Hurtta <hurtta-ietf@elmme-mailer.org> wrote:
> That may be good idea. (This spec requires scheme and http/1.1 spec does not
> allow scheme to be used. )

I have tried to capture this information in a PR:
  https://github.com/httpwg/http-extensions/pull/257

> |   | TBD1  | Scheme Not Allowed            | Section 2.2 |

We can probably avoid doing that on the basis that we have 421.

> |   | TBD2  | Scheme Required               | Section 2.1 |

The case for this seems weak.  You have to have a resource that is
only available on the cleartext version of the site, and you have to
use opp-sec, and the client has to be very silly.  I would prefer to
use 404 here.  That is, assume that the client asked for a secure
resource (https://example.com/http-only) which doesn't exist; rather
than asking for the unsecured resource (http://example.com/http-only)
which might.
Received on Tuesday, 1 November 2016 05:55:02 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 November 2016 05:55:05 UTC