Re: Sec-Scheme request header?
Mark Nottingham <mnot@mnot.net> Thu, 14 April 2016 00:20 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93E0812DDD9 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 13 Apr 2016 17:20:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.917
X-Spam-Level:
X-Spam-Status: No, score=-7.917 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 98Jt98yWh86i for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 13 Apr 2016 17:20:24 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5807712DA09 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 13 Apr 2016 17:20:23 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1aqUwm-0008KY-M6 for ietf-http-wg-dist@listhub.w3.org; Thu, 14 Apr 2016 00:15:48 +0000
Resent-Date: Thu, 14 Apr 2016 00:15:48 +0000
Resent-Message-Id: <E1aqUwm-0008KY-M6@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <mnot@mnot.net>) id 1aqUwh-0008JE-QW for ietf-http-wg@listhub.w3.org; Thu, 14 Apr 2016 00:15:43 +0000
Received: from mxout-07.mxes.net ([216.86.168.182]) by lisa.w3.org with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <mnot@mnot.net>) id 1aqUwf-0002y2-Gs for ietf-http-wg@w3.org; Thu, 14 Apr 2016 00:15:42 +0000
Received: from [192.168.1.101] (unknown [120.149.194.112]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 67E7822E1FA; Wed, 13 Apr 2016 20:15:16 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <CABkgnnUxh=Anv3HjCMo9nhggmmTz8G+Mc2WHLtugBrdb1Jppzw@mail.gmail.com>
Date: Thu, 14 Apr 2016 10:15:13 +1000
Cc: Patrick McManus <mcmanus@ducksong.com>, Mike West <mkwst@google.com>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <B66FB746-B2D0-4106-91AC-B4E0995BE75A@mnot.net>
References: <ED1304AC-126B-486B-A58D-81D24C8F5C06@mnot.net> <CAKXHy=f=499HWYurEsTodjrJr6rR7DBkcFiVwmJGE0ogYFPAaQ@mail.gmail.com> <CAOdDvNrZuDHBLcMeKNhCMewi1zKOAnUt-CY9Cdh4vgi-CjcVAg@mail.gmail.com> <CABkgnnUxh=Anv3HjCMo9nhggmmTz8G+Mc2WHLtugBrdb1Jppzw@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
X-Mailer: Apple Mail (2.3124)
Received-SPF: pass client-ip=216.86.168.182; envelope-from=mnot@mnot.net; helo=mxout-07.mxes.net
X-W3C-Hub-Spam-Status: No, score=-8.3
X-W3C-Hub-Spam-Report: AWL=1.337, BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1aqUwf-0002y2-Gs cb902ea82546c9129621c0f7c2f0ad7c
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Sec-Scheme request header?
Archived-At: <http://www.w3.org/mid/B66FB746-B2D0-4106-91AC-B4E0995BE75A@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31445
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On 13 Apr 2016, at 11:53 PM, Martin Thomson <martin.thomson@gmail.com> wrote: > > On 13 April 2016 at 10:41, Patrick McManus <mcmanus@ducksong.com> wrote: >> I think we were discussing the general milieu of request routing complexity >> (421, coalescing, alt-svc, etc..).. and how the scheme was the one part of >> the origin that isn't always available to the final consumer of the request >> whether that is because it is h1 and not in the request at all, or whether >> it is because in h2 it is carried in a transport level colon header.. > > > Mark suggested that all existing places that carry a scheme might end > up being eroded, by virtue of them being known to intermediaries and > stacks and the like. For example, most server software gently > converts absolute URIs into a bare path (sometimes ignoring the > authority part, IIRC). > > The Sec-Scheme idea was a way of getting an unequivocal signal from > the client to the code serving a resource without all that mess > getting in the way. > > Why this wouldn't also be eroded in the same way is down to freshness. > Next time, we'll try Sec-NoIMeanIt-Scheme. </snark> Nope. The motivation here is that there is no standard way to determine the client's idea of what the scheme is at the server in HTTP/1.x, and while we define :scheme in H2, we short-sightedly made it a pseudo-header, meaning that there's no standard way for it to be exposed to server-side code. This is especially evident in situations like those that Julian described, where a request might go through infrastructure like this: --> CDN --> Reverse Proxy --> Origin Server --> PHP runtime --> PHP framework --> Application code ... and :scheme information might be stripped at any of these stages. Right now, different servers, runtimes and frameworks have different ways of determining the context of the connection (using port numbers, static configuration, presence of TLS, etc.), leading to confusion and resulting potential for security problems. Having a clear signal about the scheme in use from the client that "punches through" all of this in a way that's easy for the frameworks and application code to access and reason about *seems* like it would be a useful thing for them. Cheers, -- Mark Nottingham https://www.mnot.net/
- Sec-Scheme request header? Mark Nottingham
- Re: Sec-Scheme request header? Mike West
- Re: Sec-Scheme request header? Patrick McManus
- Re: Sec-Scheme request header? Martin Thomson
- Re: Sec-Scheme request header? Mark Nottingham
- Re: Sec-Scheme request header? Mike West
- Re: Sec-Scheme request header? Mark Nottingham
- Re: Sec-Scheme request header? Mike West
- Re: Sec-Scheme request header? Amos Jeffries