Re: Alt-svc and CORS from Julian Reschke on 2015-10-07 (ietf-http-wg@w3.org from October to December 2015)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 7 Oct 2015 10:32:35 +0200
To: Christer Holmberg <christer.holmberg@ericsson.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <5614D8A3.3060104@gmx.de>

On 2015-10-07 09:40, Christer Holmberg wrote:
> Hi,
>
> Assume the following case:
>
> 1.A browser requests a page, index.html, from origin example.com.
>
> 2.The page contains an image resource from pictures.com
>
> 3.A cross origin request for the image is sent to pictures.com. The
> Origin header value in the request is “example.com”.
>
> 4.pictures.com has set its CORS policies to allow access to the image
> from origin example.com, so it accepts the request and sends a response
> with the image. The ACAO header value in the response is “example.com”.
>
> 5.The browser receives the image, and renders it on the page.
>
> So far so good.
>
> Then, assume that example.com uses Alt-svc, and provides index.html also
> from duxample.com. Now, assume the following case:
>
> 1.The browser requests index.html from origin duexample.com (based on
> whatever logic)
>
> 2.The cross origin request for the image is sent to pictures.com
>
> QUESTION #1: When the request for the image is sent to pictures.com,
> will it contain an Alt-Used header? Note that picture.com is not an
> alternative service.

My understanding is that the header field should not be sent. We 
currently say in 
<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-alt-svc-latest.html#rfc.section.5.p.3>:

"When using an alternative service, clients SHOULD include a Alt-Used 
header field in all requests."

Maybe change this to

"When using an alternative service, clients SHOULD include a Alt-Used 
header field in all requests sent to that service."?

> QUESTION #2: When the request for the image is sent to pictures.com,
> what will the value of the Origin header be?
>
> 1)As Alt-svc is not supposed to change/replace the origin, will the
> header value be “example.com”?; or
>
> 2)Will the header value be “duxample.com”? If so, does that mean that
> picture.com will not accept the image request, as the CORS policy only
> gives access to example.com? Would picture.com need to be aware of each
> alterative service of example.com, and give access to the image to each
> of the alternative service? That doesn’t sound right.

Yes, it would be 1).

We currently say in 
<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-alt-svc-latest.html#rfc.section.2.p.4>:

"Alternative services do not replace or change the origin for any given 
resource; in general, they are not visible to the software "above" the 
access mechanism. The alternative service is essentially alternative 
routing information that can also be used to reach the origin in the 
same way that DNS CNAME or SRV records define routing information at the 
name resolution level. Each origin maps to a set of these routes — the 
default route is derived from thr origin itself and the other routes are 
introduced based on alternative-protocol information."

Isn't that sufficient?

Best regards, Julian

Received on Wednesday, 7 October 2015 08:33:12 UTC