From 7c6d1d63410e962400b5ac6a83f78af7d6d486e0 Mon Sep 17 00:00:00 2001 From: Mike Bishop Date: Fri, 16 Aug 2019 13:49:52 -0400 Subject: [PATCH 1/2] Require 8164 validation for non-https origins --- draft-ietf-quic-http.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/draft-ietf-quic-http.md b/draft-ietf-quic-http.md index 15e3080582..90bb20ad23 100644 --- a/draft-ietf-quic-http.md +++ b/draft-ietf-quic-http.md @@ -381,6 +381,10 @@ certificate for the origin before considering it authoritative. Clients MUST NOT assume that an HTTP/3 endpoint is authoritative for other origins without an explicit signal. +If the client intends to make requests for an origin containing a scheme other +than "https", it MUST also obtain a valid `http-opportunistic` response for the +origin as described in {{!RFC8164}} prior to making any such requests. + A server that does not wish clients to reuse connections for a particular origin can indicate that it is not authoritative for a request by sending a 421 (Misdirected Request) status code in response to the request (see Section 9.1.2 From ed68fdf589cb8ffd2148759410bdac3e51cf4539 Mon Sep 17 00:00:00 2001 From: Mike Bishop Date: Thu, 22 Aug 2019 11:31:30 -0400 Subject: [PATCH 2/2] 8164 is specific, but the requirement is generic --- draft-ietf-quic-http.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/draft-ietf-quic-http.md b/draft-ietf-quic-http.md index 90bb20ad23..8dc8cfe958 100644 --- a/draft-ietf-quic-http.md +++ b/draft-ietf-quic-http.md @@ -381,9 +381,12 @@ certificate for the origin before considering it authoritative. Clients MUST NOT assume that an HTTP/3 endpoint is authoritative for other origins without an explicit signal. -If the client intends to make requests for an origin containing a scheme other -than "https", it MUST also obtain a valid `http-opportunistic` response for the -origin as described in {{!RFC8164}} prior to making any such requests. +Prior to making requests for an origin whose scheme is not "https," the client +MUST ensure the server is willing to serve that scheme. If the client intends +to make requests for an origin whose scheme is "http", this means that it MUST +obtain a valid `http-opportunistic` response for the origin as described in +{{!RFC8164}} prior to making any such requests. Other schemes might define +other mechanisms. A server that does not wish clients to reuse connections for a particular origin can indicate that it is not authoritative for a request by sending a 421