- From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
- Date: Wed, 20 Nov 2013 10:29:12 +0100
- To: "Adrien de Croy" <adrien@qbik.com>
- Cc: "Mark Nottingham" <mnot@mnot.net>, "HTTP Working Group" <ietf-http-wg@w3.org>
Le Mer 20 novembre 2013 03:26, Adrien de Croy a écrit : > > proxy discovery could almost deserve its own issue. > > A long time ago 305 Use Proxy was deprecated (and apparently it wasn't > implemented anyway by UA authors). > > Personally I think it (or something similar) could have been useful in a > restricted (trusted) environment to force a browser to use a proxy that > they weren't going to get anywhere without using. A way for proxies to communicate with UAs is certainly required for explicit proxies to work. And that implies a specific communication stream with the proxies, to carry prompts, errors, auth, etc in a secure way with no leakage or spoofing. 305 is universally hated because it's in-stream, so 1. depending on your implementation it does not work with https, 2. or implies breaking TLS, 3. UAs may refuse to display it because of connexion spoofing 4. there is always the risk of leakage if either the intermediary forgets to remove creds before relaying, or the client sends creds *even when they are un-needed, just in case* (for example when the client moves to direct connection) Also you need some sort of connexion table because on a large private network you don't want to intercept all traffic just in case something wants to go outside through the proxy. So anyway you look at it you end up defining magic dns entries that answer with this connexion table to provide UAs with this info (though it does not need to be the mess wpad is). If undefined currently I guess people will just intercept google, and that will sort of work till search market share changes. -- Nicolas Mailhot
Received on Wednesday, 20 November 2013 09:29:52 UTC