Re: Browser display of 403 responses bodies on CONNECT

------ Original Message ------
From: "Martin Thomson" <>
To: "Adrien de Croy" <>
Cc: "HTTP Working Group" <>
Sent: 18/06/2015 11:57:42 a.m.
Subject: Re: Browser display of 403 responses bodies on CONNECT

>On 17 June 2015 at 13:47, Adrien de Croy <> wrote:
>>  we're seeing nowadays many browsers don't display the content of a 
>>  denial response to a CONNECT request, instead displaying some generic
>>  home-baked browser warning about being unable to make a connection.
>I believe that this is because our users have requested a secure site
>and anything other than authenticated content provided by that site
>would present an unparalleled opportunity for MitM phishing attacks.

just to clarify then.

It's preferable to MITM the TLS to send a block page back, than to send 
a block page back on a 403 response to the CONNECT?


>>  Is there any language in the RFC that encourages or discourages this
>>  behaviour, or should there be?
>I don't believe that there is any requirements on how content is
>rendered, no.  Nor should there be.
>RFC 2616 had some language around presentation to users, and asking
>for permission and so forth, but I believe that was one thing that was
>cleaned up in the latest round.

Received on Thursday, 18 June 2015 00:56:31 UTC