Re: Security of cross-origin pushed resources from 陈智昌 on 2013-09-20 (ietf-http-wg@w3.org from July to September 2013)

From: 陈智昌 <willchan@chromium.org>
Date: Fri, 20 Sep 2013 12:26:49 -0700
To: Jo Liss <joliss42@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAA4WUYjKXYY82okCz-rw8LN5E+ZaT2HEfHh1kiK0uXpXx_RrEA@mail.gmail.com>

I think this is a good question that I don't know is well specified
anywhere. I recall us discussing for HTTP/1.1 whether or not it's feasible
for a client to reuse a TCP connection for the same destination IP address,
even if it's for different origins. My understanding is mnot ran a quick
test of the feasibility and showed that it works 99.X% of the time or
something, but my memory's vague on the matter. Mark can correct me here.

If it's reasonable to reuse a TCP connection for the same IP address but
for different origins, and we specify this in httpbis (I don't know what
httpbis has to say about this), then I think the current draft HTTP/2 spec
is fine. And I think it's desirable to support this, especially if you have
a CDN which services many origins off the same VIP. Of course, it's a
little tricky at the client, because if you receive a push promise from a
different origin, then you have to do a DNS lookup before you can tell if
you can accept it.

On Fri, Sep 20, 2013 at 11:55 AM, Jo Liss <joliss42@gmail.com> wrote:

> [Originally at https://github.com/http2/http2-spec/issues/248]
>
> Hey all,
>
> http://http2.github.io/http2-spec/#rfc.section.10.1 says:
>
> > A server is considered authoritative for an "http" resource if the
> connection is
> > established to a resolved IP address for the domain in the origin of the
> resource.
>
> I worry whether this might be insecure: For instance,
> `foo.herokuapp.com` and `bar.herokuapp.com` could conceivably live
> behind a load balancer at the same IP address, yet `foo` shouldn't be
> able to push resources for `bar`. (Or am I mis-reading the spec here?)
>
> I'm guessing the expectation would be: If the load balancer speaks
> HTTP 2.0, it would forward individual streams to the servers, so we
> can expect it to enforce that servers don't send unauthorized push
> promises.
>
> But what if an HTTP 1.1 load balancer forwards the entire TCP
> connection once it sees a Host: field? Then the server could
> conceivably upgrade to HTTP 2.0 and push resources that it isn't
> allowed to push.
>
> Could this happen? What do you think?
>
> Cheers,
> Jo
>
> --
> Jo Liss
> http://www.solitr.com/blog/
>
>

Received on Friday, 20 September 2013 19:27:16 UTC