Re: 2.2. Interaction with "https" URIs | Re: SETTINGS_MIXED_SCHEME_PERMITTED | Re: I-D Action: draft-ietf-httpbis-http2-encryption-07.txt

On 10 October 2016 at 15:45, Kari Hurtta <> wrote:
> After one "https" reguest that apply:
> |                            clients MUST NOT send "http" requests on a
> |    connection that has previously been used for "https" requests,

The point of this is to cover off any problems that might arise from
connection reuse.  It's clumsy.  I think that it should be reworded:
clients MUST NOT send "http" requests on a connection that would
ordinarily be used for "https" requests unless the http-opportunistic
origin object [...]

If scheme is determined on the first request and that causes this
check to pass, then we're going to get false positives.  Remember:
we're incapable of detecting all cases where the server decides to do
crazy things - I'm sure that I can devise a server architecture that
will fail for any solution we devise - we have to instead take steps
that we think are reasonable.

Received on Monday, 10 October 2016 04:55:47 UTC