| I would like to see in the HTTP/2 spec allow http traffic, with the requirement that http 2 traffic must be signed. This would allow publicly accessible resources (including javascript) to be cacheable, without compromising security. Random thoughts: * The signage could be done in headers (HTTP/1.0 compatible) * Works with all existing internet caches that don't modify pages they cache * (some proxies inject headers into pages, so the spec should be resistance to this, and throws out all unsigned headers) * Signature must cover cache expiry and full page url (including FQDN, port number etc) * don't send cookies, user-agent or other identifying details over http 2 (helps with caching, and privacy) * Could have a requirement that all https 2 traffic can only link to resources on https or http 2 * If the signature in the http 2 message fails, browser could fall back to https 2 * A redirect could sign the content it is redirecting to (to securely load resources from 3rd party CDN) Edit: formatting |