Re: #73: Alt-Svc Elevation of Privilege

its not optimal, but I would consider some kind of CORS mechanism (or more
likely, CORS :)) here as part of the alt-svc establishment.

relatedly I've heard concerns about even cross host with the cert check in
environments with broad alternates - and the feeling that this bypasses the
spirit of CORS. (though I disagree on that count, I do understand it).

On Sun, Jun 7, 2015 at 9:46 PM, Mark Nottingham <> wrote:

> <>
> This issue asks if allowing a header to advertise an alternative on
> another port (but still on the same host) is adequate, since in some shared
> hosting environments, users will have the ability to add response headers,
> as well as listen on other ports.
> Erik has suggested in the issue that it might be helpful to limit these to
> privileged ports — i.e., those lower than 1024. I'm assuming such a
> restriction would be in place if the origin port were also privileged.
> What do people think?
> --
> Mark Nottingham

Received on Monday, 8 June 2015 13:12:05 UTC