W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2015

Re: HTTP Alternative Services: What about TLS client certificates?

From: Roy T. Fielding <fielding@gbiv.com>
Date: Mon, 30 Mar 2015 15:31:59 -0700
Cc: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, Jann Horn <jann@thejh.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <CEA50C88-690B-4DF0-9454-05A87324926D@gbiv.com>
To: Roberto Peon <grmocg@gmail.com> 
On Mar 30, 2015, at 1:15 PM, Roberto Peon wrote:

> I think the point of the alt-svc field is to declare that the new transport and port are the same origin in this case.

Well, then Alt-Svc is a security hole.  Creating a security hole just
to avoid one duplicate request (retrieving the alternative service
before doing subrequests) would completely abuse the point of switching
to a TLS connection for that service.

A simple principle is that no header field from the response origin
can be allowed to change the same-origin for that response.  Only a
field from the target can do that safely (e.g., CORS).

....Roy
Received on Monday, 30 March 2015 22:32:23 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:43 UTC