Re: constraining scheme (http vs https) on a connection

Does Martin's suggestion of a flag in the .well-known file work for you?

Cheers,

> On 2 Jun 2016, at 1:18 AM, Erik Nygren <erik@nygren.org> wrote:
> 
> If it helps, this came up as an important corner-case during implementation / detailed-design of a server-side implementation.
> 
> 
> On Tue, May 31, 2016 at 10:06 PM, Martin Thomson <martin.thomson@gmail.com> wrote:
> This is reasonable.  A boolean `mixed-scheme` member that has to be
> true seems appropriate.  It's cheap enough to warrant doing.
> 
> On 1 June 2016 at 11:10, Mark Nottingham <mnot@mnot.net> wrote:
> > What do other folks think?
> >
> >
> >> On 1 Jun 2016, at 8:31 AM, Erik Nygren <erik@nygren.org> wrote:
> >>
> >> Filed for the opp-sec draft where this is most relevant:
> >>
> >>      https://github.com/httpwg/http-extensions/issues/188
> >>
> >> In particular, mixing of secure and insecure schemes should require server-side opt-in over a strongly authenticated channel.  (eg, an attribute of /.well-known/http-opportunistic with properties similar to "commit" as for where it can be set).
> 
> 
> 
> 
> 

--
Mark Nottingham   https://www.mnot.net/

Received on Thursday, 2 June 2016 00:06:45 UTC