- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Wed, 27 Jan 2016 12:24:22 +1100
- To: Kazuho Oku <kazuhooku@gmail.com>
- Cc: Stefan Eissing <stefan.eissing@greenbytes.de>, Julian Reschke <julian.reschke@gmx.de>, Ilya Grigorik <ilya@igvita.com>, Amos Jeffries <squid3@treenet.co.nz>, HTTP Working Group <ietf-http-wg@w3.org>
On 27 January 2016 at 12:11, Kazuho Oku <kazuhooku@gmail.com> wrote: > Note that the former is not named `domain`. Please refer to > https://lists.w3.org/Archives/Public/ietf-http-wg/2016JanMar/0132.html > for the reason behind. I just re-read that and I think that you have a hole here with this: > * if a non-wildcard `host` attribute is specified, the scope is the > host. The value MUST be equal to the host part of the :authority > pseudo header This prevents someone from connecting to an HTTP/2 server that supports multiple names and making assertions about multiple of those names. For instance, this seems perfectly reasonable to send to a server that has a cert for example.com and foo.example... GET / HTTP/1.1 Host: example.com Cache-Digest: CgRSlw, soOIs;host=foo.example After all, you want to suppress pushes from foo.example. (Note that the origin frame might help advise what origins you want to cover here.)
Received on Wednesday, 27 January 2016 01:24:50 UTC