- From: Phil Lello <phil@dunlop-lello.uk>
- Date: Sat, 9 Apr 2016 18:41:00 +0100
- To: Ryan Hamilton <rch@google.com>
- Cc: Patrick McManus <mcmanus@ducksong.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
- Message-ID: <CAPofZaEG3gm79CznQuB8RdZb6hXYV7ZiBNTwYj=autVP1=_Cng@mail.gmail.com>
On Sat, Apr 9, 2016 at 2:36 PM, Ryan Hamilton <rch@google.com> wrote: > On Fri, Apr 8, 2016 at 11:01 AM, Patrick McManus <mcmanus@ducksong.com> > wrote: > >> On Fri, Apr 8, 2016 at 2:31 PM, Ryan Hamilton <rch@google.com> wrote: >> >>> Howdy, >>> >>> It is common for web sites to serve content from a variety of different >>> origins within the same domain. For example, www.example.com, >>> accounts.example.com, images.example.com. A single page view may >>> require loading resources from several such origins. (Tricks like domain >>> sharing can exacerbate this proliferation of origins.) It would be great if >>> the service had some way to tell the client, "All of my domains can use >>> this alternative service". What would folks thinks of an include-subdomains >>> parameter in the Alt-Svc value? If such a parameter were present in an >>> Alt-Svc advertisement, a client could use this advertisement to apply to >>> any sub-domain of the origin that the client does not already have an >>> alternative for. This would avoid the need to discover the alternatives >>> individually. >>> >>> >> the server can send, unsolicited, on stream 0 an altsvc frame for each >> origin it wants to provide alt-svc info for (the connection needs to be >> authoritative for those origins, of course). >> >> yesterday's discussion of adding certificates to an established >> connection would make that more powerful. >> >> I would encourage h1 servers to update to h2 to get this feature :) >> > > Hm. This seems plausible for the simple case where the number of extra > origins is small. But in some cases, the number of extra origins can be ... > enormous. > > In the case of YouTube which I'm quite familiar with, there are literally > thousands of hostnames and they all have the same Alt-Svc. We can't > practically push an origin frame for each server. And even if we could, I > suspect that browsers will limit the number of servers for which they are > tracking Alt-Svc information. > > I'm concerned that Alt-Svc, especially used like this, is re-introducing the sort of privacy issues people have been trying to eliminate with cookies for years. Appologies if this has already been discussed and I missed it. Specifically, although I know that, for example, google.com and youtube.com, are tightly related, the average user might not. Over a TLS end-to-end connection, Alt-Svc seems to make it easy to track activities between domains without user knowledge or consent. Ditto for blog1.wordpress.com and blog2.wordpress.com. There's also a danger that while a CDN might legitimately advertise Alt-Svc for different sites it caches, a rogue CDN might seize the opportunity to track activity across unrelated entities. Best wishes, Phil Lello
Received on Saturday, 9 April 2016 17:41:30 UTC