Alt-svc and CORS from Christer Holmberg on 2015-10-07 (ietf-http-wg@w3.org from October to December 2015)

From: Christer Holmberg <christer.holmberg@ericsson.com>
Date: Wed, 7 Oct 2015 07:40:17 +0000
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <7594FB04B1934943A5C02806D1A2204B37B27C46@ESESSMB209.ericsson.se>

Hi,

Assume the following case:

1. A browser requests a page, index.html, from origin example.com.

2. The page contains an image resource from pictures.com

3. A cross origin request for the image is sent to pictures.com. The Origin header value in the request is "example.com".

4. pictures.com has set its CORS policies to allow access to the image from origin example.com, so it accepts the request and sends a response with the image. The ACAO header value in the response is "example.com".

5. The browser receives the image, and renders it on the page.

So far so good.

Then, assume that example.com uses Alt-svc, and provides index.html also from duxample.com. Now, assume the following case:

1. The browser requests index.html from origin duexample.com (based on whatever logic)

2. The cross origin request for the image is sent to pictures.com

QUESTION #1: When the request for the image is sent to pictures.com, will it contain an Alt-Used header? Note that picture.com is not an alternative service.

QUESTION #2: When the request for the image is sent to pictures.com, what will the value of the Origin header be?

1) As Alt-svc is not supposed to change/replace the origin, will the header value be "example.com"?; or

2) Will the header value be "duxample.com"? If so, does that mean that picture.com will not accept the image request, as the CORS policy only gives access to example.com? Would picture.com need to be aware of each alterative service of example.com, and give access to the image to each of the alternative service? That doesn't sound right.

Regards,

Christer

Received on Wednesday, 7 October 2015 07:40:48 UTC