- From: Piers O'Hanlon <piers.ohanlon@bbc.co.uk>
- Date: Tue, 26 Nov 2019 17:10:37 +0000
- To: Lucas Pardue <lucaspardue.24.7@gmail.com>
- CC: Patrick McManus <mcmanus@ducksong.com>, HTTP Working Group <ietf-http-wg@w3.org>
Hi Lucas, Thanks for the explanation - that helped. I think to keep the discussion simple I’ll reply with my points to Patrick. Piers > On 25 Nov 2019, at 17:02, Lucas Pardue <lucaspardue.24.7@gmail.com> wrote: > > IIUC Patrick correctly, I think one threat model relates to connection coalescing. Imagine two resources: a.example.com/index.html includes b.example.com/foo.js and the properties of these resources (i.e. authority and certs) satisfy the requirements for HTTP/2 connection reuse as described in https://tools.ietf.org/html/rfc7540#section-9.1.1. > > a.example.com and b.example.com are in different administrative domains but requests for b.example.com/foo.js are able to obtain information about the state of the connection including the effect of requests to a.example.com. This could be used for fingerprinting or some other form of attack from one domain to the other. > > Lucas > >
Received on Tuesday, 26 November 2019 17:10:43 UTC