Re: Security of cross-origin pushed resources

On Fri, Sep 20, 2013 at 12:35 PM, Jo Liss <joliss42@gmail.com> wrote:

> On Fri, Sep 20, 2013 at 8:26 PM, William Chan (陈智昌)
> <willchan@chromium.org> wrote:
> > I recall us discussing for HTTP/1.1 whether or not it's feasible for a
> > client to reuse a TCP connection for the same destination IP address,
> even
> > if it's for different origins. My understanding is mnot ran a quick test
> of
> > the feasibility and showed that it works 99.X% of the time or something
>
> Hm, it might work most of the time, but I imagine it would be unsafe
> and browsers wouldn't actually do this. Or am I completely mistaken
> here?
>

Speaking as a browser vendor, this idea has come up a number of times.
We've definitely looked at doing it. It's a lot of work because of how we
do our connection management, and it has unclear performance benefits
(although it's probably a win), and most importantly it's not clear how
safe it is. Oftentimes we'd run an experiment for things like this to see
if it breaks anything in the wild, but the code development and maintenance
costs have been prohibitive.


>
> Jo
>
> --
> Jo Liss
> http://www.solitr.com/blog/
>

Received on Friday, 20 September 2013 19:42:07 UTC