W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: ext#9: OppSec and Proxies

From: Patrick McManus <pmcmanus@mozilla.com>
Date: Wed, 2 Jul 2014 11:09:25 -0400
Message-ID: <CAOdDvNpvcROXheN9XOhQixae6=Fkf_2MZZ7r6nO8pZNCvDJOrw@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Wed, Jul 2, 2014 at 2:26 AM, Mark Nottingham <mnot@mnot.net> wrote:

> <https://github.com/httpwg/http-extensions/issues/9>
> We need to define how a client using OppSec connects to a configured proxy

I'm not sure we need to define one path. It seems like a trust and policy
decision where it is sufficient to describe the mechanisms. Both proxying
and tunneling are sensible under different circumstances .

> Does the answer change if the proxy is http vs https?

That's one input. Another is the trust relationship you have with the proxy
and another might be the backend protocol capabilities of the intermediary.
(i.e. does it do OppSec as a client? does it do >= the client protocol
version, etc..)

> Can the proxy advertise OppSec?
devil is in the details - but generically: yes that's desirable
Received on Wednesday, 2 July 2014 15:09:51 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:08 UTC