- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Thu, 24 Jul 2014 10:12:26 -0700
- To: Greg Wilkins <gregw@intalio.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
Received on Thursday, 24 July 2014 17:12:52 UTC
On Jul 23, 2014, at 10:15 PM, Greg Wilkins wrote:
> On 24 July 2014 15:02, Adrien de Croy <adrien@qbik.com> wrote:
> so that when a client sends the http2 equivalent of
>
> GET ftp://ftp.somewhere.com/file /HTTP/1.1
>
> to a proxy, we can do it.
>
> That's a reasonable usage.
>
> But distinguishing between http and https is not. Can't we just not send the scheme for HTTP and if we do then it should just be http and never https. At the very least we should point out that :scheme is not a trusted value and just because it says https does not mean the request is secure.
Actually, people use many different schemes to access HTTP services.
You don't see them because it can't be communicated yet.
> There is plenty of code out that that implements the equivalent of
>
> boolean isSecure() { return "https".equals(getScheme()); }
Yep, and they are all guesses. It doesn't actually work in all cases,
but there is no alternative in HTTP/1. It would be a shame not to fix a
known bug in HTTP/1.
....Roy
Received on Thursday, 24 July 2014 17:12:52 UTC