Yes, any client that cares about security will do the enforcement regardless. The thing is there are two new proposals on the table here. Sam's proposal is to simply drop :scheme and :host and always assume same origin. James' modification is to assume same origin unless otherwise specified. I prefer the status quo of explicitly specifying the headers. And I think that unless there are compelling reasons to *change* the spec, we should opt to keep it as is. Do people feel strongly that we should adopt either Sam or James' proposals for the implementation draft? On Tue, Jul 2, 2013 at 1:11 PM, Mike Belshe <mike@belshe.com> wrote: > Sam is right on this point. The original spdy spec said this: > > "Browsers receiving a pushed response MUST validate that the server is > authorized to push the URL using the browser same-origin<http://mbelshe.github.com/SPDY-Specification/draft-mbelshe-spdy-00.xml#RFC6454> policy. > For example, a SPDY connection to www.foo.com is generally not permitted > to push a response for www.evil.com." > > Even if the servers are required not to send promises for resources they > don't technically own, browsers need to verify it. The client will be in > the enforcement role here. > > Mike > > > > > On Mon, Jul 1, 2013 at 11:34 PM, Martin Thomson <martin.thomson@gmail.com>wrote: > >> On 1 July 2013 22:22, Sam Pullara <spullara@gmail.com> wrote: >> > I suggest that you limit to same origin and remove the :schema and the >> > :host. >> >> You are probably right Sam, and I think that I agree, but this would >> be a change and we need to be careful about that. See >> https://github.com/http2/http2-spec/issues/158 >> >> >
Received on Tuesday, 2 July 2013 21:28:06 UTC