I'm not sure how this can be turned into something useful, but this seems pretty bad:
- An HTTP/1.1 server doesn't check the scheme, but permits authority form requests for both
http and https equally. Scheme is instead inferred from the presence/absence of TLS in the stack.
- Attacker sends an Alt-Svc header field to clients referencing the
https endpoint on that server. This can come from any resource on the http endpoint, so it might not require any MitM attack.
- Clients now make
http requests to the secure endpoint and now the content from the https origin is entered into the http origin.
Do we want to require an explicit indication from HTTP/1.1 servers so that clients can
be assured that this error did not occur?
This should not be a problem for HTTP/2.
I'm not sure how this can be turned into something useful, but this seems pretty bad:
httpandhttpsequally. Scheme is instead inferred from the presence/absence of TLS in the stack.httpsendpoint on that server. This can come from any resource on thehttpendpoint, so it might not require any MitM attack.httprequests to the secure endpoint and now the content from thehttpsorigin is entered into thehttporigin.Do we want to require an explicit indication from HTTP/1.1 servers so that clients can
be assured that this error did not occur?
This should not be a problem for HTTP/2.