Re: HTTP Alternative Services: What about TLS client certificates?

On Mar 30, 2015, at 1:15 PM, Roberto Peon wrote:

> I think the point of the alt-svc field is to declare that the new transport and port are the same origin in this case.

Well, then Alt-Svc is a security hole.  Creating a security hole just
to avoid one duplicate request (retrieving the alternative service
before doing subrequests) would completely abuse the point of switching
to a TLS connection for that service.

A simple principle is that no header field from the response origin
can be allowed to change the same-origin for that response.  Only a
field from the target can do that safely (e.g., CORS).


Received on Monday, 30 March 2015 22:32:23 UTC