Re: HTTP/2.0 -04 candidate

To be clear ... I feel stongly that the spec shouldn't change.

On Tue, 2 Jul 2013, William Chan (???) wrote:

> Yes, any client that cares about security will do the enforcement
> regardless. The thing is there are two new proposals on the table here.
> Sam's proposal is to simply drop :scheme and :host and always assume same
> origin. James' modification is to assume same origin unless otherwise
> specified. I prefer the status quo of explicitly specifying the headers.
> And I think that unless there are compelling reasons to *change* the spec,
> we should opt to keep it as is. Do people feel strongly that we should
> adopt either Sam or James' proposals for the implementation draft?
> 
> 
> On Tue, Jul 2, 2013 at 1:11 PM, Mike Belshe <mike@belshe.com> wrote:
> 
> > Sam is right on this point.  The original spdy spec said this:
> >
> > "Browsers receiving a pushed response MUST validate that the server is
> > authorized to push the URL using the browser same-origin<http://mbelshe.github.com/SPDY-Specification/draft-mbelshe-spdy-00.xml#RFC6454> policy.
> > For example, a SPDY connection to www.foo.com is generally not permitted
> > to push a response for www.evil.com."
> >
> > Even if the servers are required not to send promises for resources they
> > don't technically own, browsers need to verify it.  The client will be in
> > the enforcement role here.
> >
> > Mike
> >
> >
> >
> >
> > On Mon, Jul 1, 2013 at 11:34 PM, Martin Thomson <martin.thomson@gmail.com>wrote:
> >
> >> On 1 July 2013 22:22, Sam Pullara <spullara@gmail.com> wrote:
> >> > I suggest that you limit to same origin and remove the :schema and the
> >> > :host.
> >>
> >> You are probably right Sam, and I think that I agree, but this would
> >> be a change and we need to be careful about that.  See
> >> https://github.com/http2/http2-spec/issues/158
> >>
> >>
> >
> 

Received on Tuesday, 2 July 2013 22:26:07 UTC