- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Fri, 20 Sep 2013 22:36:25 -0700
- To: William Chan (陈智昌) <willchan@chromium.org>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
- Message-Id: <1EB12FDA-12B6-411C-AC18-15390E19FF10@gbiv.com>
On Sep 20, 2013, at 9:21 PM, William Chan (陈智昌) wrote: > As usual, I feel like when you and I disagree on mailing lists, we spend many roundtrips just to find out that we misunderstood each other and we actually agree :) > > So, when I said "I'm supportive of changing the spec to remove cross-origin push for http URIs." I meant http:// scheme, and primarily I meant unauthenticated (I know that Patrick is hopeful we can authenticate and encrypt http:// URIs in the future, but when I say http:// scheme today, I mean unauthenticated). So no cert or anything. > > Does that clear it up? If not, then I think I don't understand or just actually disagree :P Do you think we need to change the existing text, and if so, what do you propose? > > http://http2.github.io/http2-spec/#rfc.section.10.1 > ===== > A server that is contacted using TLS is authenticated based on the certificate that it offers in the TLS handshake (see [RFC2818], Section 3). A server is considered authoritative for an "https" resource if it has been successfully authenticated for the domain part of the origin of the resource that it is providing. > > A server is considered authoritative for an "http" resource if the connection is established to a resolved IP address for the domain in the origin of the resource. > > A client MUST NOT use, in any way, resources provided by a server that is not authoritative for those resources. Umm, I hope folks realize that this last sentence forbids any form of hierarchical caching. ....Roy
Received on Saturday, 21 September 2013 05:36:48 UTC