Re: Sec-Scheme request header?

On Wed, Apr 13, 2016 at 9:50 AM, Mark Nottingham <> wrote:

> At the WG meeting in B-A, I tangentially wondered aloud about whether we
> should define a header in the form:
> Sec-Scheme: https
> Because it's prefixed with `Sec-`, browsers won't allow its modification
> (e.g., in XHR), so its value is relatively trustworthy from browser clients.
> Because it's a header, rather than a pseudo-header (like :scheme), it's
> "end to end" -- it gets exposed to the application (e.g., through PHP, CGI,
> whatever) via standard APIs. As such, it's much more realistic to consume.
> What do people think -- would such a thing be useful?

Could you explain the use-case? Ctrl+F in came
up empty, so context would be helpful. :)


Received on Wednesday, 13 April 2016 07:55:25 UTC