W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2016

Re: Op-sec simplification

From: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
Date: Tue, 1 Nov 2016 19:35:37 +0200 (EET)
Message-Id: <201611011735.uA1HZbRJ006494@shell.siilo.fmi.fi>
To: Martin Thomson <martin.thomson@gmail.com>
CC: Kari Hurtta <hurtta-ietf@elmme-mailer.org>, Mark Nottingham <mnot@mnot.net>, HTTP working group mailing list <ietf-http-wg@w3.org>
Martin Thomson <martin.thomson@gmail.com>: (Tue Nov  1 07:54:29 2016)
> > |   | TBD2  | Scheme Required               | Section 2.1 |
> The case for this seems weak.  You have to have a resource that is
> only available on the cleartext version of the site, and you have to
> use opp-sec, and the client has to be very silly.  I would prefer to
> use 404 here.  That is, assume that the client asked for a secure
> resource (https://example.com/http-only) which doesn't exist; rather
> than asking for the unsecured resource (http://example.com/http-only)
> which might.

TBD2 Scheme Required   

may happen when listener is for op-sec only -- it expects only
http requests over TLS and listener does not serve https requests.

Scheme is required then because it is what is
required for op-sec. 

Or that is 421 (Misdirected Request) also (as you suggested for
TBD1 Scheme Not Allowed).

/ Kari Hurtta
Received on Tuesday, 1 November 2016 17:36:16 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 November 2016 17:36:17 UTC