Sec-Scheme request header?

At the WG meeting in B-A, I tangentially wondered aloud about whether we should define a header in the form:

Sec-Scheme: https

Because it's prefixed with `Sec-`, browsers won't allow its modification (e.g., in XHR), so its value is relatively trustworthy from browser clients.

Because it's a header, rather than a pseudo-header (like :scheme), it's "end to end" -- it gets exposed to the application (e.g., through PHP, CGI, whatever) via standard APIs. As such, it's much more realistic to consume.

What do people think -- would such a thing be useful? 


--
Mark Nottingham   https://www.mnot.net/

Received on Wednesday, 13 April 2016 07:51:17 UTC