- From: Martin Thomson <mt@lowentropy.net>
- Date: Tue, 14 Sep 2021 07:40:39 +1000
- To: ietf-http-wg@w3.org
On Tue, Sep 14, 2021, at 07:30, Justin Richer wrote: > Jumping back on the top of the thread to summarize the next steps: > > This was some pretty clear and strong feedback, thanks everyone for > providing it. The editors will add a note about this header to the > security considerations section (namely, saying that it can’t really be > relied on) but will neither put a normative requirement nor a > special-cased field to support it. I think maybe you want a simple note, with Via only referenced as an example. That is: Any field that might be added to or altered by an intermediary might cause signatures to become invalid. This might be the case for Via, Forwarded-For, and CDN-Loop (or pick your own favourite examples).
Received on Monday, 13 September 2021 21:41:20 UTC