- From: Mark Nottingham <mnot@mnot.net>
- Date: Fri, 27 Oct 2017 16:03:04 +1100
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: John Fallows <john.fallows@kaazing.com>, Patrick McManus <pmcmanus@mozilla.com>, hybi <hybi@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
On 27 Oct 2017, at 4:01 pm, Martin Thomson <martin.thomson@gmail.com> wrote: > > On Fri, Oct 27, 2017 at 10:39 AM, Mark Nottingham <mnot@mnot.net> wrote: >> Just to give some context as to why I don't think it's a subtle change -- consider OWASP's mod_security CRS, which is the basis of most WAF products. It has baked-in assumptions about the semantics of CONNECT; e.g., >> <https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/e4e0497be4d598cce0e0a8fef20d1f1e5578c8d0/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf> > > I found this message quite obtuse (and that file worse), but what I > think you are saying is that an origin server might treat CONNECT > specially in a way that might make a new method easier to deploy. > That's a fine argument for a new method. We work in a field of jargon and extreme specialisation. You should try talking to those browser folks sometime... -- Mark Nottingham https://www.mnot.net/
Received on Friday, 27 October 2017 05:03:36 UTC