- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Mon, 30 Mar 2015 15:31:59 -0700
- To: Roberto Peon <grmocg@gmail.com>
- Cc: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, Jann Horn <jann@thejh.net>, HTTP Working Group <ietf-http-wg@w3.org>
On Mar 30, 2015, at 1:15 PM, Roberto Peon wrote: > I think the point of the alt-svc field is to declare that the new transport and port are the same origin in this case. Well, then Alt-Svc is a security hole. Creating a security hole just to avoid one duplicate request (retrieving the alternative service before doing subrequests) would completely abuse the point of switching to a TLS connection for that service. A simple principle is that no header field from the response origin can be allowed to change the same-origin for that response. Only a field from the target can do that safely (e.g., CORS). ....Roy
Received on Monday, 30 March 2015 22:32:23 UTC