On 11/11/2008 10:46, Eduardo Casais wrote: >> I don't think I agree. If a server doesn't want >> HTTPS links rewritten then it can prevent this happening by >> adding no-transform. Once a secure link is established >> it's moot as the proxy has no sight of that traffic. > >> See above. The no-transform applies to the page with the >> original HTTPS link in -i.e. 1 - so 2 can't happen. > > This is valid under the assumption that the first request -- the one to the page containing the original https URI -- is made to the same server, under the same transformation conditions. > > There is no way to ensure this is true. If the https URI is contained in a page returned from another server (e.g. a page of results from a search engine), which does not apply no-transform, then the situation I described may well occur: the URI is rewritten (search results page), the modified request is made to the server, and so on. > Thanks, that is a very good point. There's no doubt in my mind that further work needs to be done on this section, and this is a specific use case that needs to be called out. >> And that is the Via header. It's not possible to find a >> Via header in an HTTPS connection that hasn't been >> intercepted. Francois has an action to discuss your earlier >> point with relevant folks. > > All right, the case is still open. > > E.Casais > > > >Received on Tuesday, 11 November 2008 11:12:20 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 11 November 2008 11:12:20 GMT