On Nov 24, 2008, at 12:59 AM, Vidar Ramdal wrote:
On Sun, Nov 23, 2008 at 7:30 PM, Felix Meschberger
<[EMAIL PROTECTED]> wrote:
Basically, I would say, the scheme is important, too: For example you
might want to force https on certain content locations.
Hmmm. I'm not sure I agree. I think a resource should be the same
regardless of what protocol you choose to deliver it. I can see cases
where I want to force https, but that would be depending on the use
case (e.g. passing a login), not depending on the resource itself.
No, that is a fairly common security hole. URIs establish authority
on the Web by virtue of who controls the TCP port on the host(s) that
are indicated by DNS lookup. There is no guarantee that the principal
controlling access to port 80 is the same as that controlling 483;
their traffic may not even be directed to the same data center.
Yes, I know that cookies violate that authority chain already.
However, I can absolutely guarantee that "http://host/"; is never
the same resource as "https://host/"; even when they deliver the
same content.
....Roy
