Re: constraining scheme (http vs https) on a connection

Filed for the opp-sec draft where this is most relevant:

In particular, mixing of secure and insecure schemes should require
server-side opt-in over a strongly authenticated channel.  (eg, an
attribute of /.well-known/http-opportunistic with properties similar to
"commit" as for where it can be set).


At the least, we should warn about the issues that might be encountered.
> Servers can then choose not to advertise services like this, and clients
> can choose not to consume them.

Received on Tuesday, 31 May 2016 22:32:25 UTC