- From: Adrien de Croy <adrien@qbik.com>
- Date: Thu, 18 Jun 2015 00:54:05 +0000
- To: "Martin Thomson" <martin.thomson@gmail.com>
- Cc: "HTTP Working Group" <ietf-http-wg@w3.org>
------ Original Message ------ From: "Martin Thomson" <martin.thomson@gmail.com> To: "Adrien de Croy" <adrien@qbik.com> Cc: "HTTP Working Group" <ietf-http-wg@w3.org> Sent: 18/06/2015 11:57:42 a.m. Subject: Re: Browser display of 403 responses bodies on CONNECT >On 17 June 2015 at 13:47, Adrien de Croy <adrien@qbik.com> wrote: >> we're seeing nowadays many browsers don't display the content of a >>403 >> denial response to a CONNECT request, instead displaying some generic >> home-baked browser warning about being unable to make a connection. > >I believe that this is because our users have requested a secure site >and anything other than authenticated content provided by that site >would present an unparalleled opportunity for MitM phishing attacks. just to clarify then. It's preferable to MITM the TLS to send a block page back, than to send a block page back on a 403 response to the CONNECT? Absurd. > >> Is there any language in the RFC that encourages or discourages this >> behaviour, or should there be? > >I don't believe that there is any requirements on how content is >rendered, no. Nor should there be. > >RFC 2616 had some language around presentation to users, and asking >for permission and so forth, but I believe that was one thing that was >cleaned up in the latest round.
Received on Thursday, 18 June 2015 00:56:31 UTC