RE: Op-sec simplification

There's an explicit requirement in RFC 7230 for servers to accept it:
>   To allow for transition to the absolute-form for all requests in some
>   future version of HTTP, a server MUST accept the absolute-form in
>   requests, even though HTTP/1.1 clients will only send them in
>   requests to proxies.

-----Original Message-----
From: Mark Nottingham [] 
Sent: Monday, October 31, 2016 4:17 PM
To: Martin Thomson <>
Cc: Kari Hurtta <>; HTTP working group mailing list <>
Subject: Re: Op-sec simplification

> On 1 Nov. 2016, at 10:15 am, Martin Thomson <> wrote:
> On 1 November 2016 at 09:41, Mark Nottingham <> wrote:
>> Hold on -- are we layering in a new requirement to use the absolute form of the URL?
> I don't know how we carry the scheme any other way.  We might try to 
> weasel this as being not "directly" to the origin server.
> Maybe I should point out that this is in contradiction to that section.

I suspect someone with a process bent will say that it needs to update 7230, and having an experimental doc update a standards track one might be... interesting. I suppose if we have consensus to do it, it might work.

> (FWIW, the servers I'm aware of all handle absolute URIs well enough.)

Is there an implicit requirement for them to check that it was absolute?

Mark Nottingham

Received on Monday, 31 October 2016 23:25:21 UTC