Re: Same resource exposed over HTTP and HTTPS

ons 2010-05-19 klockan 15:36 +0100 skrev Nathan:

> I've hit on a scenario where we'd like to identify resource with http 
> scheme URIs; where safe methods are exposed via standard HTTP, whereas 
> unsafe methods (in this case PUT and DELETE) would be exposed via HTTPS.

Content-Location can be used to hint about this. If both http and https
respond with the same https content location then clients will have a
hint that they are the same and also a hint that this location should be
used when updating the resource.

> I'm entirely unsure how to approach this, can find little documentation 
> on doing Upgrade; and am very unsure what it means to PUT to https://.. 
> and GET from http://.

Upgrade isn't used much if at all. Everyone seems quite satisfied with
using explicit https.

Upgrade can be compared to STARTTLS in other protocols if you are
familiar with that.

> The HTTP spec specifies "The PUT method requests that the enclosed 
> entity be stored at the supplied request-target." and under p1 messaging 
> 4.2 "The exact resource identified by an Internet request is determined 
> by examining both the request-target and the Host header field."

Right. There is an unintentional gap there. http != https, but the above
fails to account for that.


Received on Wednesday, 19 May 2010 19:36:56 UTC