Re: Mixed schemes from Patrick McManus on 2016-11-21 (ietf-http-wg@w3.org from October to December 2016)

From: Patrick McManus <mcmanus@ducksong.com>
Date: Mon, 21 Nov 2016 17:04:32 -0500
To: Mark Nottingham <mnot@mnot.net>
Cc: Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>, Erik Nygren <erik+ietf@nygren.org>
Message-ID: <CAOdDvNqD4iW8g2y0yYiEBwx6oY-7V_S_D3W+29K5PvtjZogMuw@mail.gmail.com>

I really think we can do #1, but I won't object to #2.

-P


On Sun, Nov 20, 2016 at 10:14 PM, Mark Nottingham <mnot@mnot.net> wrote:

> Personally -- SGTM (including #2).
>
>
> > On 21 Nov. 2016, at 1:29 pm, Martin Thomson <martin.thomson@gmail.com>
> wrote:
> >
> > Patrick (perhaps indirectly) suggested that we can harness a Firefox bug
> here:
> >
> >  https://github.com/httpwg/http-extensions/pull/270
> >
> > That is, rather than mention that coalescing between https and http
> > might happen, forbid it instead.
> >
> > I'm fairly sure that this will address the concerns Erik had.  Maybe
> > too effectively; objections like this would be good to hear.
> >
> > I didn't add any text here about coalescing two http:// origins.  I
> > don't want to close this issue until we resolve that too.  Should we:
> >
> > 1. allow coalescing of two http:// origins by default
> > 2. forbid coalescing of two http:// origins without an explicit signal
> >
> > My preference is for option 2.
> >
> > Let's be perfectly clear, there's no inherent protocol reason why we
> > can't coalesce.  But this stems from an (over)abundance of caution.
> > We can develop explicit opt-in signals regarding coalescing if it came
> > to that ... #include <ORIGIN frame discussions>.
> >
>
> --
> Mark Nottingham   https://www.mnot.net/
>
>
>

Received on Monday, 21 November 2016 22:05:25 UTC