Re: :scheme, was: consensus on :query ?

I think the requirement is that http-scheme-over-TLS must only be done
in a way where the client and server agree on the scheme in a way that
works hop-by-hop and also works with legacy clients.  In http/2 the
:scheme makes this clear.  In prior versions (eg, http/1.1) it's not
clear there's a sane way (eg, new headers) that unaware intermediaries
can't be made confused by an adversary on the client or server side?

On Thu, Jul 24, 2014 at 2:33 PM, Martin Thomson
<> wrote:
> On 24 July 2014 11:21, Erik Nygren <> wrote:
>> I'd been under the assumption that http-scheme-over-TLS would only be
>> allowed over HTTP/2?
> I'll open that issue.  We currently have no explicit restriction that
> prevents this.  I don't think that we have any reason to say
> HTTP/2-only.  I also don't think that we need a specific exclusion for
> HTTP/1.1, which is the other way we might cut this (so that we could
> retain the feature for some theorized HTTP/5, which may or may not be
> in active development for some major browser).
> That said, Mozilla doesn't plan to use oppsec for HTTP/1.1, at least
> in the short to medium term.

Received on Thursday, 24 July 2014 18:53:39 UTC