- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Tue, 29 Jul 2014 09:29:47 -0700
- To: Mark Nottingham <mnot@mnot.net>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On 28 July 2014 23:38, Mark Nottingham <mnot@mnot.net> wrote: > Another concern briefly mentioned was that such an extension might inhibit protocol evolution; e.g., if a firewall whitelists what tunnelled protocols it accepts, it might be that we're stuck advertising "h2" in the future. However, there didn't seem to be strong concern here, since ALPN negotiation is a separate step, and HTTP can choose to omit this header when using CONNECT for its own purposes. I'll note that the header field only brings the information forward. A proxy that permits an unlabelled CONNECT can (maybe) examine the TLS ClientHello to see what protocols are being offered. That is, if TLS is involved at all; though other protocols could have similarly distinctive fingerprints. Omitting the header field will, at least in the short term, avoid any whitelisting issues. However, if we start using this for "h2", then we could end up with omission being risky. My crystal ball tells me that this is unlikely on any relevant timescale :)
Received on Tuesday, 29 July 2014 16:30:16 UTC