W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2016

Re: Submitted new I-D: Cache Digests for HTTP/2

From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 27 Jan 2016 12:24:22 +1100
Message-ID: <CABkgnnUqQKSxNqoQ3MzSB-WcRfis2eVScEEOzUCkDkde-QYJPw@mail.gmail.com>
To: Kazuho Oku <kazuhooku@gmail.com>
Cc: Stefan Eissing <stefan.eissing@greenbytes.de>, Julian Reschke <julian.reschke@gmx.de>, Ilya Grigorik <ilya@igvita.com>, Amos Jeffries <squid3@treenet.co.nz>, HTTP Working Group <ietf-http-wg@w3.org>
On 27 January 2016 at 12:11, Kazuho Oku <kazuhooku@gmail.com> wrote:
> Note that the former is not named `domain`.  Please refer to
> https://lists.w3.org/Archives/Public/ietf-http-wg/2016JanMar/0132.html
> for the reason behind.


I just re-read that and I think that you have a hole here with this:

> * if a non-wildcard `host` attribute is specified, the scope is the
> host.  The value MUST be equal to the host part of the :authority
> pseudo header

This prevents someone from connecting to an HTTP/2 server that
supports multiple names and making assertions about multiple of those
names.  For instance, this seems perfectly reasonable to send to a
server that has a cert for example.com and foo.example...

GET / HTTP/1.1
Host: example.com
Cache-Digest: CgRSlw, soOIs;host=foo.example

After all, you want to suppress pushes from foo.example.

(Note that the origin frame might help advise what origins you want to
cover here.)
Received on Wednesday, 27 January 2016 01:24:50 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 22 March 2016 12:47:11 UTC