W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2015

Re: HTTP Alternative Services: What about TLS client certificates?

From: Mark Nottingham <mnot@mnot.net>
Date: Tue, 31 Mar 2015 13:58:41 +1100
Cc: Roberto Peon <grmocg@gmail.com>, Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, Jann Horn <jann@thejh.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <85AE8A56-F1CC-4BB1-A30A-F5A44279F883@mnot.net>
To: Roy Fielding <fielding@gbiv.com>
Alt-Svc explicitly doesn’t change the origin.


> On 31 Mar 2015, at 9:31 am, Roy T. Fielding <fielding@gbiv.com> wrote:
> 
> On Mar 30, 2015, at 1:15 PM, Roberto Peon wrote:
> 
>> I think the point of the alt-svc field is to declare that the new transport and port are the same origin in this case.
> 
> Well, then Alt-Svc is a security hole.  Creating a security hole just
> to avoid one duplicate request (retrieving the alternative service
> before doing subrequests) would completely abuse the point of switching
> to a TLS connection for that service.
> 
> A simple principle is that no header field from the response origin
> can be allowed to change the same-origin for that response.  Only a
> field from the target can do that safely (e.g., CORS).
> 
> ....Roy

--
Mark Nottingham   https://www.mnot.net/
Received on Tuesday, 31 March 2015 02:59:12 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:49 UTC