Re: Browser display of 403 responses bodies on CONNECT

On 17 June 2015 at 13:47, Adrien de Croy <adrien@qbik.com> wrote:
> we're seeing nowadays many browsers don't display the content of a 403
> denial response to a CONNECT request, instead displaying some generic
> home-baked browser warning about being unable to make a connection.

I believe that this is because our users have requested a secure site
and anything other than authenticated content provided by that site
would present an unparalleled opportunity for MitM phishing attacks.

> Is there any language in the RFC that encourages or discourages this
> behaviour, or should there be?

I don't believe that there is any requirements on how content is
rendered, no.  Nor should there be.

RFC 2616 had some language around presentation to users, and asking
for permission and so forth, but I believe that was one thing that was
cleaned up in the latest round.

Received on Wednesday, 17 June 2015 23:58:10 UTC