Re: Op-sec simplification

Yes. What I meant was whether the opp-sec spec is writing in an implicit requirement to assure that it was absolute (for that request).


> On 1 Nov. 2016, at 10:24 am, Mike Bishop <Michael.Bishop@microsoft.com> wrote:
> 
> There's an explicit requirement in RFC 7230 for servers to accept it:
>>  To allow for transition to the absolute-form for all requests in some
>>  future version of HTTP, a server MUST accept the absolute-form in
>>  requests, even though HTTP/1.1 clients will only send them in
>>  requests to proxies.
> 
> -----Original Message-----
> From: Mark Nottingham [mailto:mnot@mnot.net] 
> Sent: Monday, October 31, 2016 4:17 PM
> To: Martin Thomson <martin.thomson@gmail.com>
> Cc: Kari Hurtta <hurtta-ietf@elmme-mailer.org>; HTTP working group mailing list <ietf-http-wg@w3.org>
> Subject: Re: Op-sec simplification
> 
> 
>> On 1 Nov. 2016, at 10:15 am, Martin Thomson <martin.thomson@gmail.com> wrote:
>> 
>> On 1 November 2016 at 09:41, Mark Nottingham <mnot@mnot.net> wrote:
>>> Hold on -- are we layering in a new requirement to use the absolute form of the URL?
>> 
>> I don't know how we carry the scheme any other way.  We might try to 
>> weasel this as being not "directly" to the origin server.
>> 
>> Maybe I should point out that this is in contradiction to that section.
> 
> I suspect someone with a process bent will say that it needs to update 7230, and having an experimental doc update a standards track one might be... interesting. I suppose if we have consensus to do it, it might work.
> 
> 
>> (FWIW, the servers I'm aware of all handle absolute URIs well enough.)
> 
> Is there an implicit requirement for them to check that it was absolute?
> 
> --
> Mark Nottingham   https://www.mnot.net/
> 
> 

--
Mark Nottingham   https://www.mnot.net/

Received on Monday, 31 October 2016 23:26:19 UTC