- From: Adrien de Croy <adrien@qbik.com>
- Date: Thu, 18 Jun 2015 04:51:28 +0000
- To: "Amos Jeffries" <squid3@treenet.co.nz>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
------ Original Message ------ From: "Amos Jeffries" <squid3@treenet.co.nz> >Have a read through ><https://bugzilla.mozilla.org/show_bug.cgi?id=479880>. > >Amos that's really sad. I could fully support blocking 3xx responses to CONNECT as I can't imagine any bonafide use of this, but blocking bodies on 403 etc causes a lot of problems. Executing script on non-200 response bodies seems reckless at best as well, that should have just been turned off. What about the active attacker on the network that responds to CONNECT with 200? Are we relying on browsers identifying MitM to protect against that? I would even settle for some XML that had to be sent back / parsed by the browser and turned into a meaningful error. There's just no usable solution except for MitM, so we have another example of the fight for privacy causing more fallout and propagation of MitM, and still any attempts to ameliorate the "trusted" MitM are resisted. Doesn't really help the poor user. >
Received on Thursday, 18 June 2015 04:53:55 UTC