Disable HTTPS upgrade?
Disable HTTPS upgrade?
Posted Mar 5, 2025 11:02 UTC (Wed) by intelfx (subscriber, #130118)In reply to: Disable HTTPS upgrade? by excors
Parent article: Firefox 136.0 released
> RFC9110 says:
>
>> Resources made available via the "https" scheme have no shared identity with the "http" scheme. They are distinct origins with separate namespaces.
>
> but then goes on to mention cookies as an example of features that undermine the strict distinction. Specifically RFC6265 says:
>
>> servers SHOULD NOT both run mutually distrusting services on different ports of the same host and use cookies to store security-sensitive information.
>
>> Resources made available via the "https" scheme have no shared identity with the "http" scheme. They are distinct origins with separate namespaces.
>
> but then goes on to mention cookies as an example of features that undermine the strict distinction. Specifically RFC6265 says:
>
>> servers SHOULD NOT both run mutually distrusting services on different ports of the same host and use cookies to store security-sensitive information.
Sure, that's a restriction placed on the previous clause. Yet, "the exception proves the rule in cases not excepted".
So it is, in fact, true that besides this mutual distrust caveat, RFCs declare http:// and https:// resources as separate namespaces. I take it as a pretty clear-cut confirmation that the standards agree with my interpretation.