IIUC Patrick correctly, I think one threat model relates to connection coalescing. Imagine two resources: a.example.com/index.html includes b.example.com/foo.js and the properties of these resources (i.e. authority and certs) satisfy the requirements for HTTP/2 connection reuse as described in https://tools.ietf.org/html/rfc7540#section-9.1.1. a.example.com and b.example.com are in different administrative domains but requests for b.example.com/foo.js are able to obtain information about the state of the connection including the effect of requests to a.example.com. This could be used for fingerprinting or some other form of attack from one domain to the other. LucasReceived on Monday, 25 November 2019 17:03:04 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:15:43 UTC