Re: :scheme, was: consensus on :query ?

On 24/07/2014 5:19 p.m., Zhong Yu wrote:
> If a request self-claims that it is HTTPS, I think the server should
> just take its word for it. If a client lies about the scheme, the
> client does it at its own peril, and it should have the freedom to do
> so. If an intermediary (possibly a man-in-the-middle) lies about the
> scheme, there's not much the server can do about it.
> The problem in HTTP/1 is that the server has no reliable way to know
> whether the request was originated as HTTPS at the client end,
> (assuming client/intermediaries are all honest), because the request
> could have gone through multiple intermediaries that alternate
> TLS/PLAIN connections.

scheme is not about front-end. It is about what *backend* protocol the
proxy / second-to-last hop should use to contact the origin server.


Received on Thursday, 24 July 2014 07:58:49 UTC