Exactly. Does that addresses your concern about scope? (we can continue debating the value of the content type header as a measure of security if you'd like...)
EHL On 2/11/09 2:58 PM, "Adam Barth" <w...@adambarth.com> wrote: > On Wed, Feb 11, 2009 at 2:44 PM, Eran Hammer-Lahav <e...@hueniverse.com> > wrote: >> You got this backwards. > > Ah. Thanks for this response. I understand the situation much better now. > > Let me see if I understand this correctly for the case of the https scheme. > > 1. You want to find out more about example.com on port 443 speaking > HTTP-over-TLS. > 2. You want to find out more about https://example.com/resource/1 (and > care about the HTTP-over-TLS representation). > > In both cases, you will do (wrapped in a TLS session): > > GET /host-meta HTTP/1.1 > Host: example.com:443 > > Your point is that a Web browser would never want to find out more > about https://example.com/resource/1 and care about the HTTP > representation (it would always be interested in the HTTP-over-TLS > representation). > > Thanks, > Adam >