Re: HTTP Alternative Services: What about TLS client certificates?

Alt-Svc explicitly doesn’t change the origin.

> On 31 Mar 2015, at 9:31 am, Roy T. Fielding <> wrote:
> On Mar 30, 2015, at 1:15 PM, Roberto Peon wrote:
>> I think the point of the alt-svc field is to declare that the new transport and port are the same origin in this case.
> Well, then Alt-Svc is a security hole.  Creating a security hole just
> to avoid one duplicate request (retrieving the alternative service
> before doing subrequests) would completely abuse the point of switching
> to a TLS connection for that service.
> A simple principle is that no header field from the response origin
> can be allowed to change the same-origin for that response.  Only a
> field from the target can do that safely (e.g., CORS).
> ....Roy

Mark Nottingham

Received on Tuesday, 31 March 2015 02:59:12 UTC