- From: David Morris <dwm@xpasc.com>
- Date: Tue, 2 Jul 2013 15:25:38 -0700 (PDT)
- cc: HTTP Working Group <ietf-http-wg@w3.org>
To be clear ... I feel stongly that the spec shouldn't change. On Tue, 2 Jul 2013, William Chan (???) wrote: > Yes, any client that cares about security will do the enforcement > regardless. The thing is there are two new proposals on the table here. > Sam's proposal is to simply drop :scheme and :host and always assume same > origin. James' modification is to assume same origin unless otherwise > specified. I prefer the status quo of explicitly specifying the headers. > And I think that unless there are compelling reasons to *change* the spec, > we should opt to keep it as is. Do people feel strongly that we should > adopt either Sam or James' proposals for the implementation draft? > > > On Tue, Jul 2, 2013 at 1:11 PM, Mike Belshe <mike@belshe.com> wrote: > > > Sam is right on this point. The original spdy spec said this: > > > > "Browsers receiving a pushed response MUST validate that the server is > > authorized to push the URL using the browser same-origin<http://mbelshe.github.com/SPDY-Specification/draft-mbelshe-spdy-00.xml#RFC6454> policy. > > For example, a SPDY connection to www.foo.com is generally not permitted > > to push a response for www.evil.com." > > > > Even if the servers are required not to send promises for resources they > > don't technically own, browsers need to verify it. The client will be in > > the enforcement role here. > > > > Mike > > > > > > > > > > On Mon, Jul 1, 2013 at 11:34 PM, Martin Thomson <martin.thomson@gmail.com>wrote: > > > >> On 1 July 2013 22:22, Sam Pullara <spullara@gmail.com> wrote: > >> > I suggest that you limit to same origin and remove the :schema and the > >> > :host. > >> > >> You are probably right Sam, and I think that I agree, but this would > >> be a change and we need to be careful about that. See > >> https://github.com/http2/http2-spec/issues/158 > >> > >> > > >
Received on Tuesday, 2 July 2013 22:26:07 UTC