- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Wed, 28 Jan 2015 21:51:29 -0800
- To: Noah Mendelsohn <nrm@arcanedomain.com>
- Cc: Tim Berners-Lee <timbl@w3.org>, "Eric J. Bowman" <eric@bisonsystems.net>, Mark Watson <watsonm@netflix.com>, Henri Sivonen <hsivonen@hsivonen.fi>, Public TAG List <www-tag@w3.org>
On 28 January 2015 at 20:01, Noah Mendelsohn <nrm@arcanedomain.com> wrote: > Do we have a clear answer on the technical bits: does insertion of an > advertisement violate the technical specifications for HTTP? If so, where is > the pertinent specification text? Thanks! I don't think that the text of the HTTP RFC provides strong support for the idea that a transforming proxy is legitimate. But that might be considered to be predicated on the concept of a proxy being selected for that purpose. A proxy SHOULD NOT modify header fields that provide information about the endpoints of the communication chain, the resource state, or the selected representation (other than the payload) unless the field's definition specifically allows such modification or the modification is deemed necessary for privacy or security. -- https://tools.ietf.org/html/rfc7230#section-5.7.2 "security" is such a nebulous term. Besides, it's only a "SHOULD NOT", which is trumped by "I know better (I think)". But very few people explicitly configure a proxy. We're really talking about an intercepting proxy and for those the text seems pretty negative: Network intermediaries are indistinguishable (at a protocol level) from a man-in-the-middle attack, often introducing security flaws or interoperability problems due to mistakenly violating HTTP semantics. -- https://tools.ietf.org/html/rfc7230#section-2.3 But then there is this: When a registered name is used in the authority component, the "http" URI scheme (Section 2.7.1) relies on the user's local name resolution service to determine where it can find authoritative responses. -- https://tools.ietf.org/html/rfc7230#section-9.1 I could interpret this mean that an intermediary that is identified by name resolution is entirely authoritative. So while I think that the intent is to describe interception proxies as categorically bad, I think that the text on establishing authority could be read as tacit approval by some.
Received on Thursday, 29 January 2015 05:51:56 UTC