1

Are HTTP and https resources equivalent? That is, does http://example.com/ABC refer to the same resource as https://example.com/ABC?

Evidence for: (1) Cookies with matching domain and path without "secure" attribute are set and returned independent of protocol. (2) HTTP strict transport security bounces you from HTTP to HTTPS with an implicit assumption the resource is the same.

Evidence against: (1) Same origin policy treats a different protocol as a different origin. (2) HTTP RFC shows HTTP, and https comparison is unequal. (3) Resources for other protocols like FTP aren't equivalent to HTTP resources for the same domain (e.g., FTP server root dir different), so what magic does https have over FTP in resource equivalence to HTTP?

Improve this question

2 Answers 2

Reset to default
1

I am going to say - Yes - they are the same resources.

The protocol only depicts the transportation layer.

To me

http://example.com/ABC

reads like following:

At example.com a commercial domain I have a resource called ABC.

I read the same for the following irrespective of protocol.

https://example.com/ABC

However web servers can be configured to represent and entirely different contents at the same ABC resource path based on https but in my mind they should not do so.

However the only caveat is if anyone wants to return some sort of warning for using plain HTTP we now have a different meaning but it should return 500 or some error condition for doing so.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I suppose there is no strict URL definition or WWW architecture principle that makes them the same, but the cookies and HSTS evidence I provided will have to be enough to assert they are the same resource. That is, simply changing http to https doesn't change the purpose or intent of the rest of the URL.
0

The answer is, it depends on the web server configuration. They can and in a lot of cases do point to the same resources, because HTTP and HTTPS tends to be bound to the same single site/application.

However, because they are accessed over different TCP ports (HTTP port 80, HTTPS port 443), it is perfectly possible to have the HTTP resource be served up by a different bound site than the HTTPS resource with the same URI (except protocol) and therefore be totally different.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.