On 12/5/2017 6:06 PM, Daniel Stenberg wrote:
>> It would be nice to add a cURL option to force a GET request on the
>> proxy, even for https URLs:
>>
>> GET https://example.com/ HTTP/1.1
>>
>> This is perfectly legal.
>
> Oh yes, that's certainly perfectly fine by all the relevant standards.
> But it's no longer the same kind of HTTPS as we all are used to, since
> now your application no longer has an unbroken end-to-end channel to
> the remote server. Now you let your proxy see everything and do
> anything it wants and you must trust it uncondionally and wholly.

you can cheat by using --request-target [1] (libcurl:
CURLOPT_REQUEST_TARGET [2]) to specify an https url:

curld -v --request-target "https://www.google.com/" -x localhost:8888
http://www.google.com

note the request target is https and ends in a slash which is not
optional. the URL here must be http and the domain should be what you
want in the host header. for example www.google.com in the host header.
the URL's request target is ignored, for example
http://www.google.com/foo the /foo is ignored since --request-target
replaces it and instead of "GET /foo HTTP/1.1" curl will do "GET
https://www.google.com/ HTTP/1.1"

>> *Did I miss something? Would you consider adding this feature to cURL?*
>
> I wouldn't object to supporting it, no. If someone wants to implement
> it, document it and write a test or two I'm game. But the option name
> and documentation would need to be crystal clear about what exactly
> this means in terms of it not being "good old HTTPS" anymore - even if
> the user would use such a URL together with this option.

WIP at https://github.com/curl/curl/pull/2156

[1]: https://curl.haxx.se/docs/manpage.html#--request-target
[2]: https://curl.haxx.se/libcurl/c/CURLOPT_REQUEST_TARGET.html

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2017-12-06