W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2013

Re: Security of cross-origin pushed resources

From: Jo Liss <joliss42@gmail.com>
Date: Sat, 21 Sep 2013 22:02:23 +0100
Message-ID: <CAN=xy38jv9vpp6zDxb69Jj3dkh55odFmsDUu6DTVAKLgbxHB0Q@mail.gmail.com>
To: Patrick McManus <pmcmanus@mozilla.com>
Cc: William Chan (ι™ˆζ™Ίζ˜Œ) <willchan@chromium.org>, HTTP Working Group <ietf-http-wg@w3.org>
On Fri, Sep 20, 2013 at 9:08 PM, Patrick McManus <pmcmanus@mozilla.com>wrote:

> Cross origin pushes that can have their domain be backed up by a
> verifiable cert are pretty awesome


I don't understand TSL (and how it's going to work with HTTP 2.0) very
well, but at least for HTTP 1.1, the cert doesn't seem to be an indication
of authorization.

For instance, Heroku's HTTP 1.1 load balancer terminates the SSL and
presents a certificate for *.herokuapp.com.
https://better-tweet-feed.herokuapp.com/ has a *.herokuapp.com cert, but
the actual HTTP server backing it is controlled by yours truly, and I'm
definitely not authorized to push resources for other subdomains under
herokuapp.com.

So I guess if we want to rely on the cert for cross-origin pushes, we have
to be sure that this kind of thing can't happen for HTTP 2.0. Can we
actually be sure about that?

Sorry to be a pain in the butt!

Jo

-- 
Jo Liss
http://www.solitr.com/blog/
Received on Saturday, 21 September 2013 21:02:50 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:15 UTC