- From: Mark Nottingham <mnot@mnot.net>
- Date: Tue, 31 Mar 2015 13:58:41 +1100
- To: Roy Fielding <fielding@gbiv.com>
- Cc: Roberto Peon <grmocg@gmail.com>, Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, Jann Horn <jann@thejh.net>, HTTP Working Group <ietf-http-wg@w3.org>
Alt-Svc explicitly doesn’t change the origin. > On 31 Mar 2015, at 9:31 am, Roy T. Fielding <fielding@gbiv.com> wrote: > > On Mar 30, 2015, at 1:15 PM, Roberto Peon wrote: > >> I think the point of the alt-svc field is to declare that the new transport and port are the same origin in this case. > > Well, then Alt-Svc is a security hole. Creating a security hole just > to avoid one duplicate request (retrieving the alternative service > before doing subrequests) would completely abuse the point of switching > to a TLS connection for that service. > > A simple principle is that no header field from the response origin > can be allowed to change the same-origin for that response. Only a > field from the target can do that safely (e.g., CORS). > > ....Roy -- Mark Nottingham https://www.mnot.net/
Received on Tuesday, 31 March 2015 02:59:12 UTC