W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2013

Security of cross-origin pushed resources

From: Jo Liss <joliss42@gmail.com>
Date: Fri, 20 Sep 2013 19:55:12 +0100
Message-ID: <CAN=xy3_aSrLcfrPpk9O1=dgHb8gvbgP1xxrHSq0t1grajPY5+A@mail.gmail.com>
To: ietf-http-wg@w3.org
[Originally at https://github.com/http2/http2-spec/issues/248]

Hey all,

http://http2.github.io/http2-spec/#rfc.section.10.1 says:

> A server is considered authoritative for an "http" resource if the connection is
> established to a resolved IP address for the domain in the origin of the resource.

I worry whether this might be insecure: For instance,
`foo.herokuapp.com` and `bar.herokuapp.com` could conceivably live
behind a load balancer at the same IP address, yet `foo` shouldn't be
able to push resources for `bar`. (Or am I mis-reading the spec here?)

I'm guessing the expectation would be: If the load balancer speaks
HTTP 2.0, it would forward individual streams to the servers, so we
can expect it to enforce that servers don't send unauthorized push
promises.

But what if an HTTP 1.1 load balancer forwards the entire TCP
connection once it sees a Host: field? Then the server could
conceivably upgrade to HTTP 2.0 and push resources that it isn't
allowed to push.

Could this happen? What do you think?

Cheers,
Jo

-- 
Jo Liss
http://www.solitr.com/blog/
Received on Friday, 20 September 2013 18:55:38 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:15 UTC