Sam is right on this point. The original spdy spec said this:
"Browsers receiving a pushed response MUST validate that the server is
authorized to push the URL using the browser
same-origin<http://mbelshe.github.com/SPDY-Specification/draft-mbelshe-spdy-00.xml#RFC6454>
policy.
For example, a SPDY connection to www.foo.com is generally not permitted to
push a response for www.evil.com."
Even if the servers are required not to send promises for resources they
don't technically own, browsers need to verify it. The client will be in
the enforcement role here.
Mike
On Mon, Jul 1, 2013 at 11:34 PM, Martin Thomson <martin.thomson@gmail.com>wrote:
> On 1 July 2013 22:22, Sam Pullara <spullara@gmail.com> wrote:
> > I suggest that you limit to same origin and remove the :schema and the
> > :host.
>
> You are probably right Sam, and I think that I agree, but this would
> be a change and we need to be careful about that. See
> https://github.com/http2/http2-spec/issues/158
>
>