:scheme, was: consensus on :query ? from Greg Wilkins on 2014-07-24 (ietf-http-wg@w3.org from July to September 2014)

From: Greg Wilkins <gregw@intalio.com>
Date: Thu, 24 Jul 2014 14:35:26 +1000
To: Matthew Kerwin <matthew@kerwin.net.au>
Cc: Adrien de Croy <adrien@qbik.com>, Zhong Yu <zhong.j.yu@gmail.com>, Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAH_y2NGFuebkCw=bvHgxBVVALzCsY8qs+Rgb0GDwvU3FYuULiA@mail.gmail.com>

While we are talking about decomposing the uri into it's component
parts.....

why are we sending :scheme?

It's not something that I would trust from a client anyway.

If the connection is not TLS and the request says https, then I'm not going
to believe it.  The only way I'll upgrade a request to https is with some
secret handshake with my SSL offloader via a special privileged port that
will probably nail all requests to https regardless of what the header says.

If the connection is TLS and the scheme says http, then I guess that tells
me something... that it is not TLS end to end, but then I don't know if I'm
meant to be trusting the hop or the end to end.    It's landing on my
server as https... so I guess it is.

Or is scheme meant to be optional, as in h1 allowing an absolute URL to be
sent in the request line?

-- 
Greg Wilkins <gregw@intalio.com>
http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales
http://www.webtide.com  advice and support for jetty and cometd.

Received on Thursday, 24 July 2014 04:35:54 UTC