- From: Albert Lunde <atlunde@panix.com>
- Date: Tue, 02 Jul 2013 08:21:34 -0500
- To: HTTP Working Group <ietf-http-wg@w3.org>
On 7/2/2013 12:22 AM, Sam Pullara wrote: > It looks like that this could be an issue: > > The header fields in PUSH_PROMISE MUST include the ":scheme", ":host" > and ":path" header fields that identify the resource that is being > pushed. A PUSH_PROMISE always implies an HTTP method of GET. If a > client receives a PUSH_PROMISE that does not include these header > fields, or a value for the ":method" header field, it MUST respond > with a stream error (Section 5.4.2 <http://tools.ietf.org/html/draft-unicorn-httpbis-http2-00#section-5.4.2>) of type PROTOCOL_ERROR. > > I suggest that you limit to same origin and remove the :schema and the > :host. It is quite probable that a different host, even if could be > served from the same IP address, actually resolves to a different IP > address when the client resolves it. Even the same :host could resolve > to a different IP address. A case where this could become less obvious might be a server or cluster of servers offering a number of name-based virtual hosts. It's fairly common for a virtual host to have two or four aliases. Also, there may be shared resources the server knows about that aren't obviously related to a client's view of "origins", like a host name used to serve particular media types or groups of content, such as shared styles, images, or sounds.
Received on Tuesday, 2 July 2013 13:22:01 UTC