- From: 陈智昌 <willchan@chromium.org>
- Date: Fri, 20 Sep 2013 12:26:49 -0700
- To: Jo Liss <joliss42@gmail.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CAA4WUYjKXYY82okCz-rw8LN5E+ZaT2HEfHh1kiK0uXpXx_RrEA@mail.gmail.com>
I think this is a good question that I don't know is well specified anywhere. I recall us discussing for HTTP/1.1 whether or not it's feasible for a client to reuse a TCP connection for the same destination IP address, even if it's for different origins. My understanding is mnot ran a quick test of the feasibility and showed that it works 99.X% of the time or something, but my memory's vague on the matter. Mark can correct me here. If it's reasonable to reuse a TCP connection for the same IP address but for different origins, and we specify this in httpbis (I don't know what httpbis has to say about this), then I think the current draft HTTP/2 spec is fine. And I think it's desirable to support this, especially if you have a CDN which services many origins off the same VIP. Of course, it's a little tricky at the client, because if you receive a push promise from a different origin, then you have to do a DNS lookup before you can tell if you can accept it. On Fri, Sep 20, 2013 at 11:55 AM, Jo Liss <joliss42@gmail.com> wrote: > [Originally at https://github.com/http2/http2-spec/issues/248] > > Hey all, > > http://http2.github.io/http2-spec/#rfc.section.10.1 says: > > > A server is considered authoritative for an "http" resource if the > connection is > > established to a resolved IP address for the domain in the origin of the > resource. > > I worry whether this might be insecure: For instance, > `foo.herokuapp.com` and `bar.herokuapp.com` could conceivably live > behind a load balancer at the same IP address, yet `foo` shouldn't be > able to push resources for `bar`. (Or am I mis-reading the spec here?) > > I'm guessing the expectation would be: If the load balancer speaks > HTTP 2.0, it would forward individual streams to the servers, so we > can expect it to enforce that servers don't send unauthorized push > promises. > > But what if an HTTP 1.1 load balancer forwards the entire TCP > connection once it sees a Host: field? Then the server could > conceivably upgrade to HTTP 2.0 and push resources that it isn't > allowed to push. > > Could this happen? What do you think? > > Cheers, > Jo > > -- > Jo Liss > http://www.solitr.com/blog/ > >
Received on Friday, 20 September 2013 19:27:16 UTC