- From: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
- Date: Tue, 1 Nov 2016 19:35:37 +0200 (EET)
- To: Martin Thomson <martin.thomson@gmail.com>
- CC: Kari Hurtta <hurtta-ietf@elmme-mailer.org>, Mark Nottingham <mnot@mnot.net>, HTTP working group mailing list <ietf-http-wg@w3.org>
Martin Thomson <martin.thomson@gmail.com>: (Tue Nov 1 07:54:29 2016) > > | | TBD2 | Scheme Required | Section 2.1 | > > The case for this seems weak. You have to have a resource that is > only available on the cleartext version of the site, and you have to > use opp-sec, and the client has to be very silly. I would prefer to > use 404 here. That is, assume that the client asked for a secure > resource (https://example.com/http-only) which doesn't exist; rather > than asking for the unsecured resource (http://example.com/http-only) > which might. TBD2 Scheme Required may happen when listener is for op-sec only -- it expects only http requests over TLS and listener does not serve https requests. Scheme is required then because it is what is required for op-sec. Or that is 421 (Misdirected Request) also (as you suggested for TBD1 Scheme Not Allowed). / Kari Hurtta
Received on Tuesday, 1 November 2016 17:36:16 UTC