Re: Security of cross-origin pushed resources

On Sep 20, 2013, at 9:21 PM, William Chan (陈智昌) wrote:

> As usual, I feel like when you and I disagree on mailing lists, we spend many roundtrips just to find out that we misunderstood each other and we actually agree :)
> 
> So, when I said "I'm supportive of changing the spec to remove cross-origin push for http URIs." I meant http:// scheme, and primarily I meant unauthenticated (I know that Patrick is hopeful we can authenticate and encrypt http:// URIs in the future, but when I say http:// scheme today, I mean unauthenticated). So no cert or anything.
> 
> Does that clear it up? If not, then I think I don't understand or just actually disagree :P Do you think we need to change the existing text, and if so, what do you propose?
> 
> http://http2.github.io/http2-spec/#rfc.section.10.1
> =====
> A server that is contacted using TLS is authenticated based on the certificate that it offers in the TLS handshake (see [RFC2818], Section 3). A server is considered authoritative for an "https" resource if it has been successfully authenticated for the domain part of the origin of the resource that it is providing.
> 
> A server is considered authoritative for an "http" resource if the connection is established to a resolved IP address for the domain in the origin of the resource.
> 
> A client MUST NOT use, in any way, resources provided by a server that is not authoritative for those resources.

Umm, I hope folks realize that this last sentence forbids any
form of hierarchical caching.

....Roy

Received on Saturday, 21 September 2013 05:36:48 UTC