Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Require 8164 validation for non-https origins #2973

Merged
merged 2 commits into from
Aug 26, 2019
Merged

Require 8164 validation for non-https origins #2973

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7c6d1d6
Require 8164 validation for non-https origins
MikeBishop Aug 16, 2019
ed68fdf
8164 is specific, but the requirement is generic
MikeBishop Aug 22, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions draft-ietf-quic-http.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -381,6 +381,13 @@ certificate for the origin before considering it authoritative. Clients MUST NOT
assume that an HTTP/3 endpoint is authoritative for other origins without an
explicit signal.

Prior to making requests for an origin whose scheme is not "https," the client
MUST ensure the server is willing to serve that scheme. If the client intends
to make requests for an origin whose scheme is "http", this means that it MUST
obtain a valid `http-opportunistic` response for the origin as described in
{{!RFC8164}} prior to making any such requests. Other schemes might define
other mechanisms.

A server that does not wish clients to reuse connections for a particular origin
can indicate that it is not authoritative for a request by sending a 421
(Misdirected Request) status code in response to the request (see Section 9.1.2
Expand Down