- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Wed, 1 Jun 2016 12:06:54 +1000
- To: Mark Nottingham <mnot@mnot.net>
- Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
This is reasonable. A boolean `mixed-scheme` member that has to be true seems appropriate. It's cheap enough to warrant doing. On 1 June 2016 at 11:10, Mark Nottingham <mnot@mnot.net> wrote: > What do other folks think? > > >> On 1 Jun 2016, at 8:31 AM, Erik Nygren <erik@nygren.org> wrote: >> >> Filed for the opp-sec draft where this is most relevant: >> >> https://github.com/httpwg/http-extensions/issues/188 >> >> In particular, mixing of secure and insecure schemes should require server-side opt-in over a strongly authenticated channel. (eg, an attribute of /.well-known/http-opportunistic with properties similar to "commit" as for where it can be set). >> >> Erik >> >> >> At the least, we should warn about the issues that might be encountered. Servers can then choose not to advertise services like this, and clients can choose not to consume them. > > -- > Mark Nottingham https://www.mnot.net/ > >
Received on Wednesday, 1 June 2016 02:07:23 UTC