Re: Sec-Scheme request header?
Mike West <mkwst@google.com> Thu, 14 April 2016 07:57 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B638212E318 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 14 Apr 2016 00:57:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.016
X-Spam-Level:
X-Spam-Status: No, score=-8.016 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XlsDulranBTh for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 14 Apr 2016 00:57:47 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DDB012E2F7 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 14 Apr 2016 00:57:46 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1aqc5W-0003Ya-O6 for ietf-http-wg-dist@listhub.w3.org; Thu, 14 Apr 2016 07:53:18 +0000
Resent-Date: Thu, 14 Apr 2016 07:53:18 +0000
Resent-Message-Id: <E1aqc5W-0003Ya-O6@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <mkwst@google.com>) id 1aqc5S-0003Xt-U1 for ietf-http-wg@listhub.w3.org; Thu, 14 Apr 2016 07:53:14 +0000
Received: from mail-lf0-f52.google.com ([209.85.215.52]) by lisa.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <mkwst@google.com>) id 1aqc5P-00079V-CG for ietf-http-wg@w3.org; Thu, 14 Apr 2016 07:53:12 +0000
Received: by mail-lf0-f52.google.com with SMTP id e190so99271014lfe.0 for <ietf-http-wg@w3.org>; Thu, 14 Apr 2016 00:52:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=wS8nMCHtv4Ca08ajX4i2oxd6jUAYlFs5GUTVBZfeOVw=; b=GGcWv4+k4dOOSrqNvo3c9380V1Ga3An3xEZgPj198oUQ/dkUz38UrCx/kL8XqkIJpa bHOK2DZeShzPiNAEe04wRTH/GlJTxUuBFJ/isbMbSFmzKRwaAgLww2gKpX18YAzpeooN 1ooEdBOt0HKMpUFsQGW4Vt26MSCRSrwgne9BWHlTR6h4pUFfp+G7vvZ4xBdYYPrPm66n +NW5fYUDDxszXUAEfXnvyFHIZTJznJg6bbg71YzB2IyPc7lGcjDo9nvv0Ka3qNmN8bjD BLaWCn6MXilnV3jw5QWDiayEFz+U90MxkqzUTTIrYzeKIitI/3pXOovrFMEB1QDZSr8x kj6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=wS8nMCHtv4Ca08ajX4i2oxd6jUAYlFs5GUTVBZfeOVw=; b=JEBcdrHBLvRQpVsEqTn7KOR7vePP9SoKVadXTkGDavmbLPSPkTUfPf8T4arR+Bm27n rU4ECydk+/C+aEaHDXNAYdi1Q0yk5nA8IYZZdigusv6UQ70rYc0RvD8w6RYvPTA5Sjop JoAw31KAacnXf7rxXUBkhiYhkbn743OxhvVB+zMF1RhtCx5Myc0n1pY0GRDAe//D/sd1 PR7bpaXcr0ORXWe7sTD3G9HpVTa7r2zaqayLPCKmqPvLK1XmxrQRWI3ZXfrab9i/ZIt0 ked8/cOUJ1zc8hIUBXjlBjz6lYFcJOl1poApJ9gUEsXkIh69Zh1AdTwLo0FIUdAAvzAS O3zw==
X-Gm-Message-State: AOPr4FWlUN+5hxFE7Is4GtQh7Frmo70bBdHUXbEgKbYINIsD3frAYj2rrhZkW78uaPlfMg0j6y8xlgfCa7XSMiB2
X-Received: by 10.25.196.195 with SMTP id u186mr5948529lff.164.1460620364227; Thu, 14 Apr 2016 00:52:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.112.49.18 with HTTP; Thu, 14 Apr 2016 00:52:24 -0700 (PDT)
In-Reply-To: <B66FB746-B2D0-4106-91AC-B4E0995BE75A@mnot.net>
References: <ED1304AC-126B-486B-A58D-81D24C8F5C06@mnot.net> <CAKXHy=f=499HWYurEsTodjrJr6rR7DBkcFiVwmJGE0ogYFPAaQ@mail.gmail.com> <CAOdDvNrZuDHBLcMeKNhCMewi1zKOAnUt-CY9Cdh4vgi-CjcVAg@mail.gmail.com> <CABkgnnUxh=Anv3HjCMo9nhggmmTz8G+Mc2WHLtugBrdb1Jppzw@mail.gmail.com> <B66FB746-B2D0-4106-91AC-B4E0995BE75A@mnot.net>
From: Mike West <mkwst@google.com>
Date: Thu, 14 Apr 2016 09:52:24 +0200
Message-ID: <CAKXHy=e8yD=Ask4kR6zhH9-1YSOqJXexb1XaRjgTp0aMXTUiqw@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: Martin Thomson <martin.thomson@gmail.com>, Patrick McManus <mcmanus@ducksong.com>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="001a114b200af6a81305306d2de1"
Received-SPF: pass client-ip=209.85.215.52; envelope-from=mkwst@google.com; helo=mail-lf0-f52.google.com
X-W3C-Hub-Spam-Status: No, score=-8.4
X-W3C-Hub-Spam-Report: AWL=2.337, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1aqc5P-00079V-CG 750515e4359666e009e784262f17ec26
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Sec-Scheme request header?
Archived-At: <http://www.w3.org/mid/CAKXHy=e8yD=Ask4kR6zhH9-1YSOqJXexb1XaRjgTp0aMXTUiqw@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31449
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On Thu, Apr 14, 2016 at 2:15 AM, Mark Nottingham <mnot@mnot.net> wrote: > The motivation here is that there is no standard way to determine the > client's idea of what the scheme is at the server in HTTP/1.x, and while we > define :scheme in H2, we short-sightedly made it a pseudo-header, meaning > that there's no standard way for it to be exposed to server-side code. > > This is especially evident in situations like those that Julian described, > where a request might go through infrastructure like this: > > --> CDN --> Reverse Proxy --> Origin Server --> PHP runtime --> PHP > framework --> Application code > > ... and :scheme information might be stripped at any of these stages. > > Right now, different servers, runtimes and frameworks have different ways > of determining the context of the connection (using port numbers, static > configuration, presence of TLS, etc.), leading to confusion and resulting > potential for security problems. > > Having a clear signal about the scheme in use from the client that > "punches through" all of this in a way that's easy for the frameworks and > application code to access and reason about *seems* like it would be a > useful thing for them. > What kind of reasoning do you expect this header to enable? I'm a little worried about terminating TLS somewhere, but carrying a "totally secure" indicator through various proxies and etc. until reaching an origin server. Doesn't that seem more confusing and problematic than status quo? "SSL added and removed here", and etc. -mike
- Sec-Scheme request header? Mark Nottingham
- Re: Sec-Scheme request header? Mike West
- Re: Sec-Scheme request header? Patrick McManus
- Re: Sec-Scheme request header? Martin Thomson
- Re: Sec-Scheme request header? Mark Nottingham
- Re: Sec-Scheme request header? Mike West
- Re: Sec-Scheme request header? Mark Nottingham
- Re: Sec-Scheme request header? Mike West
- Re: Sec-Scheme request header? Amos Jeffries