Re: :scheme, was: consensus on :query ? from Patrick McManus on 2014-07-24 (ietf-http-wg@w3.org from July to September 2014)

From: Patrick McManus <mcmanus@ducksong.com>
Date: Thu, 24 Jul 2014 09:32:25 -0400
To: Greg Wilkins <gregw@intalio.com>
Cc: Matthew Kerwin <matthew@kerwin.net.au>, Adrien de Croy <adrien@qbik.com>, Zhong Yu <zhong.j.yu@gmail.com>, Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAOdDvNoxpdJHOyjPa=LxXqiWsx4U46iUtpZ=9hg+Ndmx+d4U0g@mail.gmail.com>

On Thu, Jul 24, 2014 at 12:35 AM, Greg Wilkins <gregw@intalio.com> wrote:

> why are we sending :scheme?
>
>
because its part of the resource name. http://example/foo and
https://example/foo are different resources - scheme disambiguates them.

> It's not something that I would trust from a client anyway
>

then why do you trust :path?

Mostly, I jest.

But just as you check the security context against the :path, you also
check the security context against :scheme.. and sure, receiving https
without tls is something 7230 says is an error. I think 6455 says the same
thing about wss. However just because TLS is present doesn't mean https is
the only acceptable scheme.

Received on Thursday, 24 July 2014 13:32:53 UTC