W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: :scheme, was: consensus on :query ?

From: Erik Nygren <erik@nygren.org>
Date: Thu, 24 Jul 2014 14:53:12 -0400
Message-ID: <CAKC-DJjir8pyMtY=RXLTYQS6yf8HOgjaxNf1_M+nMrur2wZmiQ@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Greg Wilkins <gregw@intalio.com>, Matthew Kerwin <matthew@kerwin.net.au>, Adrien de Croy <adrien@qbik.com>, Zhong Yu <zhong.j.yu@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
I think the requirement is that http-scheme-over-TLS must only be done
in a way where the client and server agree on the scheme in a way that
works hop-by-hop and also works with legacy clients.  In http/2 the
:scheme makes this clear.  In prior versions (eg, http/1.1) it's not
clear there's a sane way (eg, new headers) that unaware intermediaries
can't be made confused by an adversary on the client or server side?


On Thu, Jul 24, 2014 at 2:33 PM, Martin Thomson
<martin.thomson@gmail.com> wrote:
> On 24 July 2014 11:21, Erik Nygren <erik@nygren.org> wrote:
>> I'd been under the assumption that http-scheme-over-TLS would only be
>> allowed over HTTP/2?
>
> I'll open that issue.  We currently have no explicit restriction that
> prevents this.  I don't think that we have any reason to say
> HTTP/2-only.  I also don't think that we need a specific exclusion for
> HTTP/1.1, which is the other way we might cut this (so that we could
> retain the feature for some theorized HTTP/5, which may or may not be
> in active development for some major browser).
>
> That said, Mozilla doesn't plan to use oppsec for HTTP/1.1, at least
> in the short to medium term.
Received on Thursday, 24 July 2014 18:53:39 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:09 UTC