Alt-Svc Privacy Concerns

On Sat, Apr 9, 2016 at 2:36 PM, Ryan Hamilton <> wrote:

> On Fri, Apr 8, 2016 at 11:01 AM, Patrick McManus <>
> wrote:
>> On Fri, Apr 8, 2016 at 2:31 PM, Ryan Hamilton <> wrote:
>>> Howdy,
>>> It is common for web sites to serve content from a variety of different
>>> origins within the same domain. For example,,
>>>, A single page view may
>>> require loading resources from several such origins. (Tricks like domain
>>> sharing can exacerbate this proliferation of origins.) It would be great if
>>> the service had some way to tell the client, "All of my domains can use
>>> this alternative service". What would folks thinks of an include-subdomains
>>> parameter in the Alt-Svc value? If such a parameter were present in an
>>> Alt-Svc advertisement, a client could use this advertisement to apply to
>>> any sub-domain of the origin that the client does not already have an
>>> alternative for. This would avoid the need to discover the alternatives
>>> individually.
>> the server can send, unsolicited, on stream 0 an altsvc frame for each
>> origin it wants to provide alt-svc info for (the connection needs to be
>> authoritative for those origins, of course).
>> yesterday's discussion of adding certificates to an established
>> connection would make that more powerful.
>> I would encourage h1 servers to update to h2 to get this feature :)
> Hm. This seems plausible for the simple case where the number of extra
> origins is small. But in some cases, the number of extra origins can be ...
> enormous.
> ​In the case of YouTube which I'm quite familiar with, there are literally
> thousands of hostnames and they all have the same Alt-Svc. We can't
> practically push an origin frame for each server.​ And even if we could, I
> suspect that browsers will limit the number of servers for which they are
> tracking Alt-Svc information.
> I'm concerned that Alt-Svc, especially used like this, is re-introducing
the sort of privacy issues people have been trying to eliminate with
cookies for years. Appologies if this has already been discussed and I
missed it.

Specifically, although I know that, for example, and,
are tightly related, the average user might not. Over a TLS end-to-end
connection, Alt-Svc seems to make it easy to track activities between
domains without user knowledge or consent. Ditto for

There's also a danger that while a CDN might legitimately advertise Alt-Svc
for different sites it caches, a rogue CDN might seize the opportunity to
track activity across unrelated entities.

Best wishes,

Phil Lello

Received on Saturday, 9 April 2016 17:41:30 UTC