Re: New Draft: draft-ohanlon-transport-info-header from Lucas Pardue on 2019-11-25 (ietf-http-wg@w3.org from October to December 2019)

From: Lucas Pardue <lucaspardue.24.7@gmail.com>
Date: Mon, 25 Nov 2019 17:02:50 +0000
To: "Piers O'Hanlon" <piers.ohanlon@bbc.co.uk>
Cc: Patrick McManus <mcmanus@ducksong.com>, "Piers O'Hanlon" <p.ohanlon@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CALGR9oZKy2fCsPjFE8PB7T8q6ovkAuqwrnsBoU3FVLg2wS9ecQ@mail.gmail.com>

IIUC Patrick correctly, I think one threat model relates to connection
coalescing. Imagine two resources: a.example.com/index.html includes
b.example.com/foo.js and the properties of these resources (i.e. authority
and certs) satisfy the requirements for HTTP/2 connection reuse as
described in https://tools.ietf.org/html/rfc7540#section-9.1.1.

a.example.com and b.example.com are in different administrative domains but
requests for b.example.com/foo.js are able to obtain information about the
state of the connection including the effect of requests to a.example.com.
This could be used for fingerprinting or some other form of attack from one
domain to the other.

Lucas

Received on Monday, 25 November 2019 17:03:04 UTC