W3C home > Mailing lists > Public > www-talk@w3.org > January to February 2009

Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

From: Eran Hammer-Lahav <eran@hueniverse.com>
Date: Wed, 11 Feb 2009 16:04:56 -0700
To: Adam Barth <w3c@adambarth.com>
CC: "www-talk@w3.org" <www-talk@w3.org>
Message-ID: <C5B89998.1278C%eran@hueniverse.com>

Exactly. Does that addresses your concern about scope?

(we can continue debating the value of the content type header as a measure
of security if you'd like...)

EHL


On 2/11/09 2:58 PM, "Adam Barth" <w3c@adambarth.com> wrote:

> On Wed, Feb 11, 2009 at 2:44 PM, Eran Hammer-Lahav <eran@hueniverse.com>
> wrote:
>> You got this backwards.
>
> Ah.  Thanks for this response.  I understand the situation much better now.
>
> Let me see if I understand this correctly for the case of the https scheme.
>
> 1. You want to find out more about example.com on port 443 speaking
> HTTP-over-TLS.
> 2. You want to find out more about https://example.com/resource/1 (and
> care about the HTTP-over-TLS representation).
>
> In both cases, you will do (wrapped in a TLS session):
>
> GET /host-meta HTTP/1.1
> Host: example.com:443
>
> Your point is that a Web browser would never want to find out more
> about https://example.com/resource/1 and care about the HTTP
> representation (it would always be interested in the HTTP-over-TLS
> representation).
>
> Thanks,
> Adam
>
Received on Wednesday, 11 February 2009 23:05:40 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:30 GMT