Re: HTTP/2.0 -04 candidate from Mike Belshe on 2013-07-02 (ietf-http-wg@w3.org from July to September 2013)

From: Mike Belshe <mike@belshe.com>
Date: Tue, 2 Jul 2013 13:11:29 -0700
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Sam Pullara <spullara@gmail.com>, Shigeki Ohtsu <ohtsu@iij.ad.jp>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABaLYCv+YBGbgbsW7zYqK0htX6SjqMQXmUnZwMP--gRhPQnQRw@mail.gmail.com>

Sam is right on this point.  The original spdy spec said this:

"Browsers receiving a pushed response MUST validate that the server is
authorized to push the URL using the browser
same-origin<http://mbelshe.github.com/SPDY-Specification/draft-mbelshe-spdy-00.xml#RFC6454>
policy.
For example, a SPDY connection to www.foo.com is generally not permitted to
push a response for www.evil.com."

Even if the servers are required not to send promises for resources they
don't technically own, browsers need to verify it.  The client will be in
the enforcement role here.

Mike

On Mon, Jul 1, 2013 at 11:34 PM, Martin Thomson <martin.thomson@gmail.com>wrote:

> On 1 July 2013 22:22, Sam Pullara <spullara@gmail.com> wrote:
> > I suggest that you limit to same origin and remove the :schema and the
> > :host.
>
> You are probably right Sam, and I think that I agree, but this would
> be a change and we need to be careful about that.  See
> https://github.com/http2/http2-spec/issues/158
>
>

Received on Tuesday, 2 July 2013 20:11:56 UTC