- From: Amos Jeffries <squid3@treenet.co.nz>
- Date: Thu, 24 Jul 2014 19:58:06 +1200
- To: ietf-http-wg@w3.org
On 24/07/2014 5:19 p.m., Zhong Yu wrote: > If a request self-claims that it is HTTPS, I think the server should > just take its word for it. If a client lies about the scheme, the > client does it at its own peril, and it should have the freedom to do > so. If an intermediary (possibly a man-in-the-middle) lies about the > scheme, there's not much the server can do about it. > > The problem in HTTP/1 is that the server has no reliable way to know > whether the request was originated as HTTPS at the client end, > (assuming client/intermediaries are all honest), because the request > could have gone through multiple intermediaries that alternate > TLS/PLAIN connections. scheme is not about front-end. It is about what *backend* protocol the proxy / second-to-last hop should use to contact the origin server. Amos
Received on Thursday, 24 July 2014 07:58:49 UTC