- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Wed, 17 Jun 2015 16:57:42 -0700
- To: Adrien de Croy <adrien@qbik.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On 17 June 2015 at 13:47, Adrien de Croy <adrien@qbik.com> wrote: > we're seeing nowadays many browsers don't display the content of a 403 > denial response to a CONNECT request, instead displaying some generic > home-baked browser warning about being unable to make a connection. I believe that this is because our users have requested a secure site and anything other than authenticated content provided by that site would present an unparalleled opportunity for MitM phishing attacks. > Is there any language in the RFC that encourages or discourages this > behaviour, or should there be? I don't believe that there is any requirements on how content is rendered, no. Nor should there be. RFC 2616 had some language around presentation to users, and asking for permission and so forth, but I believe that was one thing that was cleaned up in the latest round.
Received on Wednesday, 17 June 2015 23:58:10 UTC