GitLab

With Firefox and Chrome now supporting Opportunistic Encryption of HTTP in order to avoid a passive attacker stripping or modifying that header may be a worthwhile attack. It should probably be explicitly checked for, as modifying this particular header has a great chance for being an actual attack on a website supporting it.

Blog Articles on the Header: http://bitsup.blogspot.co.at/2015/03/opportunistic-encryption-for-firefox.html http://blog.alteroot.org/articles/2015-03-28/HTTP-alternative-services-and-opportunistic-encryption.html

RFC explaining the Header: https://tools.ietf.org/html/draft-ietf-httpbis-alt-svc-04

Trac:
Username: reezer