- From: Roland Zink <roland@zinks.de>
- Date: Fri, 25 Jul 2014 09:12:51 -0400
- To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
- Message-Id: <5D79AF2C-7F0F-4609-A506-3764C3B78EB3@zinks.de>
I guess this is similar to the origin server getting a :authority it is not serving. The server can check it or simple minded just ignore it. Roland > Am 24.07.2014 um 23:29 schrieb Erik Nygren <erik@nygren.org>: > > With AltSvc, http-scheme-over-TLS is highly relevant to client-to-origin as well. What is the behavior of non-proxy origins to getting absolute http:// request URIs over TLS with HTTP/1.1? Good point that this is normal for proxies, but I'd guess that many non-proxy origins would be confused by an absolute http:// request URI over TLS? With HTTP/2 this is expected to be a normal/typical to have browsers/clients send http-scheme-over-TLS to origins after an AltSvc. > > Erik > > > >> On Jul 24, 2014 8:17 PM, "Amos Jeffries" <squid3@treenet.co.nz> wrote: >> >> http-scheme-over-TLS is only useful when communicating to an explicit >> proxy. So the request URI is required to be in absolute-form where the >> scheme: is explicitly sent as http:// regardess of the TLS connection it >> arrives on. > ... >> > >> > On Thu, Jul 24, 2014 at 2:33 PM, Martin Thomson wrote: >> >> On 24 July 2014 11:21, Erik Nygren wrote: >> >>> I'd been under the assumption that http-scheme-over-TLS would only be >> >>> allowed over HTTP/2? >> >> >> >> I'll open that issue. We currently have no explicit restriction that >> >> prevents this. I don't think that we have any reason to say >> >> HTTP/2-only. I also don't think that we need a specific exclusion for >> >> HTTP/1.1, which is the other way we might cut this (so that we could >> >> retain the feature for some theorized HTTP/5, which may or may not be >> >> in active development for some major browser). >> >> >> >> That said, Mozilla doesn't plan to use oppsec for HTTP/1.1, at least >> >> in the short to medium term. >> >
Received on Friday, 25 July 2014 13:13:17 UTC