- From: Jo Liss <joliss42@gmail.com>
- Date: Fri, 20 Sep 2013 19:55:12 +0100
- To: ietf-http-wg@w3.org
[Originally at https://github.com/http2/http2-spec/issues/248] Hey all, http://http2.github.io/http2-spec/#rfc.section.10.1 says: > A server is considered authoritative for an "http" resource if the connection is > established to a resolved IP address for the domain in the origin of the resource. I worry whether this might be insecure: For instance, `foo.herokuapp.com` and `bar.herokuapp.com` could conceivably live behind a load balancer at the same IP address, yet `foo` shouldn't be able to push resources for `bar`. (Or am I mis-reading the spec here?) I'm guessing the expectation would be: If the load balancer speaks HTTP 2.0, it would forward individual streams to the servers, so we can expect it to enforce that servers don't send unauthorized push promises. But what if an HTTP 1.1 load balancer forwards the entire TCP connection once it sees a Host: field? Then the server could conceivably upgrade to HTTP 2.0 and push resources that it isn't allowed to push. Could this happen? What do you think? Cheers, Jo -- Jo Liss http://www.solitr.com/blog/
Received on Friday, 20 September 2013 18:55:38 UTC