Re: :scheme, was: consensus on :query ?

On Thu, Jul 24, 2014 at 12:35 AM, Greg Wilkins <> wrote:

> why are we sending :scheme?
because its part of the resource name. http://example/foo and
https://example/foo are different resources - scheme disambiguates them.

> It's not something that I would trust from a client anyway

then why do you trust :path?

Mostly, I jest.

But just as you check the security context against the :path, you also
check the security context against :scheme.. and sure, receiving https
without tls is something 7230 says is an error. I think 6455 says the same
thing about wss. However just because TLS is present doesn't mean https is
the only acceptable scheme.

Received on Thursday, 24 July 2014 13:32:53 UTC