W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2019

Re: New Draft: draft-ohanlon-transport-info-header

From: Lucas Pardue <lucaspardue.24.7@gmail.com>
Date: Mon, 25 Nov 2019 17:02:50 +0000
Message-ID: <CALGR9oZKy2fCsPjFE8PB7T8q6ovkAuqwrnsBoU3FVLg2wS9ecQ@mail.gmail.com>
To: "Piers O'Hanlon" <piers.ohanlon@bbc.co.uk>
Cc: Patrick McManus <mcmanus@ducksong.com>, "Piers O'Hanlon" <p.ohanlon@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
IIUC Patrick correctly, I think one threat model relates to connection
coalescing. Imagine two resources: a.example.com/index.html includes
b.example.com/foo.js and the properties of these resources (i.e. authority
and certs) satisfy the requirements for HTTP/2 connection reuse as
described in https://tools.ietf.org/html/rfc7540#section-9.1.1.

a.example.com and b.example.com are in different administrative domains but
requests for b.example.com/foo.js are able to obtain information about the
state of the connection including the effect of requests to a.example.com.
This could be used for fingerprinting or some other form of attack from one
domain to the other.

Received on Monday, 25 November 2019 17:03:04 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:15:43 UTC