Re: #492: Alt-Svc header host restriction from Ryan Hamilton on 2014-06-04 (ietf-http-wg@w3.org from April to June 2014)

From: Ryan Hamilton <rch@google.com>
Date: Wed, 4 Jun 2014 12:10:35 -0700
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAJ_4DfRxnVJg9845woOXwwtzdqqE2YCodJsdxGfDBHQmsBoKNQ@mail.gmail.com>

On Wed, Jun 4, 2014 at 9:33 AM, Martin Thomson <martin.thomson@gmail.com>
wrote:

>
> On Jun 4, 2014 9:15 AM, "Mark Nottingham" <mnot@mnot.net> wrote:
> >
> > When we were originally working on Alt-Svc, Patrick and I put a
> restriction on the Alt-Svc header field so that it couldn’t redirect
> clients to a different host.
> >
> > Since then, several people have pointed out that the requirement to have
> strong server authentication, as well as cache flushing, seems to contain
> the risk associated with doing this, and that the facility could be quite
> useful.
>
> This sounds fine.
>
>  think that this restriction still belongs in the -encryption draft.
>
This also sounds good to me.
 In Chrome, we've had a number of different discussions about wanting to
do basically this. If the Alt-Svc header supported this functionality, that
would be awesome.

Received on Wednesday, 4 June 2014 19:11:02 UTC