- From: James M Snell <jasnell@gmail.com>
- Date: Tue, 2 Jul 2013 10:51:22 -0700
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: William Chan (陈智昌) <willchan@chromium.org>, Sam Pullara <spullara@gmail.com>, Albert Lunde <atlunde@panix.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Tue, Jul 2, 2013 at 10:25 AM, Martin Thomson
<martin.thomson@gmail.com> wrote:
> On 2 July 2013 10:22, William Chan (陈智昌) <willchan@chromium.org> wrote:
>> I don't understand why this proposal is an improvement.
>
> Me too :)
>
Which part?
>> On Tue, Jul 2, 2013 at 10:15 AM, James M Snell <jasnell@gmail.com> wrote:
>>> PUSH_PROMISE
>>> :path = http://someother.example.com/some-other-content.js
>>> push-authorization: {auth token of some sort}
>>> Now, this is just a strawman example, but it demonstrates that we can
>>> achieve the cross-domain push while still having the No :host or
>>> :scheme in PUSH_PROMISE restriction.
>
> This in particular makes me queasy. :scheme, :host and :path are so
> simple. Please don't mess them up further.
>
Please do keep in mind that the particular part above wasn't a
proposal, I very clearly indicated that it was just a quickly written
strawman example illustrating a point.
To be clear, the proposal I made was:
1. Only require :path (and :method) in PUSH_PROMISE
2. If :scheme and :host are not provided, inherit the ones from the
originating request
3. If :scheme and :host are provided, they SHOULD match from the
originating request
This would simplify the requirements for push promise and make
same-origin the default while giving room to experiment with other
options later.
Received on Tuesday, 2 July 2013 17:52:11 UTC