Alt-Svc explicitly doesn’t change the origin. > On 31 Mar 2015, at 9:31 am, Roy T. Fielding <fielding@gbiv.com> wrote: > > On Mar 30, 2015, at 1:15 PM, Roberto Peon wrote: > >> I think the point of the alt-svc field is to declare that the new transport and port are the same origin in this case. > > Well, then Alt-Svc is a security hole. Creating a security hole just > to avoid one duplicate request (retrieving the alternative service > before doing subrequests) would completely abuse the point of switching > to a TLS connection for that service. > > A simple principle is that no header field from the response origin > can be allowed to change the same-origin for that response. Only a > field from the target can do that safely (e.g., CORS). > > ....Roy -- Mark Nottingham https://www.mnot.net/Received on Tuesday, 31 March 2015 02:59:12 UTC
This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:49 UTC