> so that a server which supports this mechanism > ends up behind a proxy which does not (and hence does not strip > the headers). > If the problem can be reduced to the above then I think there are some http features that are worth considering if you're willing to look at it as a single hop requirement: a] if the proxy->server link is h1 then the x-client-certificate name can be included in the Connection header sent to the server (and the server can enforce this property). Any naive proxy receiving that same combination from a malicious client would remove the request-header of the same name before forwarding it on to the server and then generate its own Connection header. b] if the proxy->server link is h2 then you can inject connection-specific information into the stream with an extension frame type (and the server can enforce this property). You don't need to negotiate it with SETTINGS (which is nice, because that's a round trip.) and these frames are hop to hop (proxies that don't understand a frame type MUST drop them). Its not too hard to imagine a generalization of (b).. a CONNECTION-SPECIFIC-HEADERS or somesuch that has strict hop-to-hop semantics. -P
Received on Monday, 17 July 2017 16:26:12 UTC