-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
308 Permanent Redirect #117
Comments
Good point. Looks like browser support would map to Modern. Anyone interested in PRing changes for Modern in your favorite server type to use 308? |
Applies to the modern configuration only. Relates to mozilla#117.
x-ref: "308 Permanent Redirect" mozilla#117 "For Apache, prefer 308 Permanent Redirect to 301 Moved Permanently" mozilla#137
x-ref: "308 Permanent Redirect" mozilla#117 "For Apache, prefer 308 Permanent Redirect to 301 Moved Permanently" mozilla#137
According to the details in https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/308, all web browsers listed on the page have supported 308 for over 8 years, with Edge, of course, being the last among them to add support for 308 in Edge 12 released 2015-07-28. A year and a half ago, Microsoft published an article declaring IE 11 dead and buried. https://blogs.windows.com/windowsexperience/2022/06/15/internet-explorer-11-has-retired-and-is-officially-out-of-support-what-you-need-to-know/ Internet Explorer 11 desktop app retirement FAQ (Published May 19 2021 08:55 AM)
https://en.wikipedia.org/wiki/List_of_Microsoft_Windows_versions IE has been actively disabled. The concerns raised in this issue are out-of-date. This issue could have been resolved years ago with a simple choice:
@gene1wood is there any open question that remains that would prevent this issue from being decided and resolved? |
EOL or not, the
which hasn't changed since the issue opened. No problem for In So unless there's new UA support matrix in the cards for the specs, this should not break now. (Read: Might need new specs version release with different UAs claimed to be supported; at the same time this might mean moving all DHE to |
Please help me to understand. If software is end-of-life, then the "old" config applies. People using end-of-life software should not qualify for "intermediate" compatibility. The software they are using is end-of-life. Yes, people are using end-of-life software. It is obvious that it is not dead yet. However, end-of-life software should unquestionably qualify as "old" and nothing else. Now, I have not checked end-of-life for Server W7/8, but would point out that web browsers should be used in a very, very limited fashion on Windows servers, as they are servers, and not client machines. Safer corporate configs block servers from direct access to the internet if they allow it at all. |
@gstrauss I agree. There's a lot of sad UAs that should be defined as "old" these days, years after the v5.0 specs came out. But as I mentioned, it's the specs that need to change first, moving some of the browser support around. (And with it, even the ciphers needed to support them, so getting rid of EOL IE 11 AND DHE suites at the same time would be lovely.) — I just don't know what's the roadmap for v5.x specs and who (and when) should make the call it's about time to reassess the support matrix for 2024 perspective. (The issue with "IE 11" as a client is a simplification to an extent, as it's similar to e. g. 2008 R2 Server or 2012 R2 Server, using the same SChannel they can't get more cipher updates for and are stuck with what's provided by the system network layer, where .NET applications can't use any alternative network stack, only the system SChannel. The R2 Server might be an API client, and the client limitations for the .NET app would be the same as for the IE11 browser unfortunately. So that explains the "web browsers use" on servers. For .NET on R2 Servers that basically means the whole network implementation that can't be replaced or circumvented.) |
This comment was marked as duplicate.
This comment was marked as duplicate.
This comment was marked as duplicate.
This comment was marked as duplicate.
x-ref: "308 Permanent Redirect" mozilla#117 "For Apache, prefer 308 Permanent Redirect to 301 Moved Permanently" mozilla#137
This comment was marked as duplicate.
This comment was marked as duplicate.
@janbrasna wrote:
@gene1wood: Do you happen to know which group/committee at or affiliated with Mozilla does that? Is it the Security Assurance team at Mozilla? Is there an open request in an issue tracker or an open item for the project manager to review and refresh the specs? |
@gene1wood Please take appropriate steps to engage decision makers and update the specs. @janbrasna posted in #117 (comment) that the specs still have Intermediate supporting an embarrassingly old list of clients. Please escalate to get the specs updated. End-of-life software is end-of-life. It should not be supported by Intermediate. (I can also argue that it should not be supported by Old because the software is END-OF-LIFE and no longer supported.) |
I notice that 301 Moved Permanently is used to redirect from HTTP to HTTPS, but that this status code can cause POST requests to be transformed to GET requests.
There's a new code 308 Permanent Redirect which seems more appropriate, here. I understand it's not supported by IE 11 before Windows 10, but is there a reason it's not used in the Modern profiles?
The text was updated successfully, but these errors were encountered: