- From: Erik Nygren <erik@nygren.org>
- Date: Thu, 24 Jul 2014 08:51:56 -0400
- To: Greg Wilkins <gregw@intalio.com>
- Cc: Matthew Kerwin <matthew@kerwin.net.au>, Adrien de Croy <adrien@qbik.com>, Zhong Yu <zhong.j.yu@gmail.com>, Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
This is a key part of:
http://tools.ietf.org/html/draft-ietf-httpbis-http2-encryption-00
In particular, if a connection comes in over TLS it could now be
either http or https.
The :scheme header is a way to know which it is, especially as the
scheme is a critical part
of the URI and Origin tuple.
Note that many implementations make assumptions about TLS == https, so
much of the work
in draft-ietf-httpbis-http2-encryption will be (safely!) decoupling these.
Perhaps this doc needs some clarifying text to make this explicit?
Erik
On Thu, Jul 24, 2014 at 12:35 AM, Greg Wilkins <gregw@intalio.com> wrote:
>
> While we are talking about decomposing the uri into it's component
> parts.....
>
> why are we sending :scheme?
>
> It's not something that I would trust from a client anyway.
>
> If the connection is not TLS and the request says https, then I'm not going
> to believe it. The only way I'll upgrade a request to https is with some
> secret handshake with my SSL offloader via a special privileged port that
> will probably nail all requests to https regardless of what the header says.
>
> If the connection is TLS and the scheme says http, then I guess that tells
> me something... that it is not TLS end to end, but then I don't know if I'm
> meant to be trusting the hop or the end to end. It's landing on my server
> as https... so I guess it is.
>
> Or is scheme meant to be optional, as in h1 allowing an absolute URL to be
> sent in the request line?
>
> --
> Greg Wilkins <gregw@intalio.com>
> http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales
> http://www.webtide.com advice and support for jetty and cometd.
Received on Thursday, 24 July 2014 12:52:22 UTC