W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2013

Re: HTTP/2.0 -04 candidate

From: Sam Pullara <spullara@gmail.com>
Date: Tue, 2 Jul 2013 12:39:59 -0700
Message-Id: <BB6C52B9-EE29-4F34-8D9D-13FA6C76B6F1@gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
On Jul 2, 2013, at 12:12 PM, David Morris <dwm@xpasc.com> wrote:
>> Browsers associate security with the origin server. If I can serve
>> content from an arbitrary origin that is a problem without trust.
>> Rewriting the URLs with a different origin solves this problem and thus
>> is not an issue.
> 
> If the html from server: examplex.com as written references host:
> x.example.com, and before delivering it, examplex.com rewrites it to
> a url for examplex.com (in the html) and keeps track of the mapping so
> that the PUSH_PROMISE knews where to get the content from, and serves
> the other server's content, how is that not a bigger problem them
> providing a PUSH_PROMISE with the correct identification?

Because the browser gives it the security constraints of examplex.com and not x.example.com.

>>> If we feel there is a security requirement here, it should be along
>>> the lines of:
>>> 
>>> The host name specified in a PUSH_PROMISE must have a DNS entry
>>> which includes the IP address of server sending the PUSH_PROMISE.

Many DNS servers only ship a subset of the IP addresses at a time, especially if there are lots of them.

>> 
>> This would allow one domain on a VPS serve content for any other domain 
>> on a VPS.
> 
> Exactly what happens with HTTP/1.1 virtual hosts. The TCP connection is
> shared to serve data from multiple virtual hosts.

In 1.1 I believe that you have separate connection per host name. Also, just because I am hosted on a VPS with hostname sam.vps.com doesn't mean I should be allowed to serve content as if it came from dave.vps.com. This may work for trusted forward proxies, but doesn't work in general.

Sam
Received on Tuesday, 2 July 2013 19:40:28 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:14 UTC