On 24 July 2014 23:32, Patrick McManus <mcmanus@ducksong.com> wrote: > But just as you check the security context against the :path, you also > check the security context against :scheme.. and sure, receiving https > without tls is something 7230 says is an error. I think 6455 says the same > thing about wss. However just because TLS is present doesn't mean https is > the only acceptable scheme. OK that makes sense. I'll take this to the servlet expert group as I think we should require that isSecure does more than check the scheme and makes some effort to check context. cheers -- Greg Wilkins <gregw@intalio.com> http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales http://www.webtide.com advice and support for jetty and cometd.
Received on Friday, 25 July 2014 00:48:49 UTC