On Mar 30, 2015, at 1:15 PM, Roberto Peon wrote: > I think the point of the alt-svc field is to declare that the new transport and port are the same origin in this case. Well, then Alt-Svc is a security hole. Creating a security hole just to avoid one duplicate request (retrieving the alternative service before doing subrequests) would completely abuse the point of switching to a TLS connection for that service. A simple principle is that no header field from the response origin can be allowed to change the same-origin for that response. Only a field from the target can do that safely (e.g., CORS). ....RoyReceived on Monday, 30 March 2015 22:32:23 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:43 UTC