- From: Ben Campbell <ben@nostrum.com>
- Date: Mon, 11 Jun 2018 20:44:09 -0500
- To: Patrick McManus <pmcmanus@mozilla.com>
- Cc: The IESG <iesg@ietf.org>, draft-ietf-httpbis-h2-websockets@ietf.org, Mark Nottingham <mnot@mnot.net>, httpbis-chairs@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>
- Message-Id: <BE5375BA-F4BE-438D-AB89-B54D67F2073D@nostrum.com>
> On Jun 10, 2018, at 6:50 PM, Patrick McManus <pmcmanus@mozilla.com> wrote: > > > > On Thu, Jun 7, 2018 at 5:01 PM, Ben Campbell <ben@nostrum.com> wrote: > > > > On Jun 7, 2018, at 3:13 AM, Patrick McManus <pmcmanus@mozilla.com> wrote: > > > > Hi Ben, thanks for the review - > > > > > > On Wed, Jun 6, 2018 at 9:36 PM, Ben Campbell <ben@nostrum.com> wrote: > > > > Substantive: > > §5: Is the scheme pseudo-header expected to match the security status of the > > existing connection? > > > > > > 7540 indicates the security requirements for carrying https or http schemes, which conveniently are the schemes used by this draft. > > > > Okay, let me check my understanding here. > > If I want to setup a tunnel for “wss” , :scheme must be https, and that’s only possible if the connection for the stream is running over TLS. > > right > > And you are also disallowed to setup a tunnel for “ws” if the stream is running over a connection setup for HTTPS? > > ws uses the http :scheme, and the rules for doing that with TLS and h2 are set by RFC 8164 if a client really wants to. In most cases though they will just continue to use http/1 as that's what's normal for http:// resources. Ah, got it. I think it would be helpful for this draft to elaborate a bit on the relationships between the websocket scheme and the security properties of the channel when used with h2. I’m not looking for detail; just a few sentences to explain what you just explained to me. > > > > The draft doesn't require that you use the connection that the markup was received on - though that's obviously desirable when possible. > > I’m a bit confused by that statement. I understand this mechanism to upgrade an existing stream to WebSocket. How would you do that on a different connection? > > > The term upgrade is a bit confusing, but it is inherited from 6455. Everything needs to start with http(s) and then be turned into (i.e. upgraded into) websockets. You can do that with a new http connection. (the term upgrade comes from the h1 request header named upgrade to this in an h1 context) I think this part is now academic, and should not delay progressing the document. But for my own education... Thinking about CONNECT in the general case: When you say “new http connection” do you mean a new connection between the client and the proxy or server, or a new connection between a proxy and a server resulting from CONNECT? Thanks! Ben.
Received on Tuesday, 12 June 2018 01:44:45 UTC