- From: Patrick McManus <mcmanus@ducksong.com>
- Date: Mon, 8 Jun 2015 09:11:39 -0400
- To: Mark Nottingham <mnot@mnot.net>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
Received on Monday, 8 June 2015 13:12:05 UTC
its not optimal, but I would consider some kind of CORS mechanism (or more likely, CORS :)) here as part of the alt-svc establishment. relatedly I've heard concerns about even cross host with the cert check in environments with broad alternates - and the feeling that this bypasses the spirit of CORS. (though I disagree on that count, I do understand it). On Sun, Jun 7, 2015 at 9:46 PM, Mark Nottingham <mnot@mnot.net> wrote: > <https://github.com/httpwg/http-extensions/issues/73> > > This issue asks if allowing a header to advertise an alternative on > another port (but still on the same host) is adequate, since in some shared > hosting environments, users will have the ability to add response headers, > as well as listen on other ports. > > Erik has suggested in the issue that it might be helpful to limit these to > privileged ports — i.e., those lower than 1024. I'm assuming such a > restriction would be in place if the origin port were also privileged. > > What do people think? > > -- > Mark Nottingham https://www.mnot.net/ > > >
Received on Monday, 8 June 2015 13:12:05 UTC