[Doh] notes on CORS and DoH

Tony Finch <dot@dotat.at> Wed, 07 November 2018 11:49 UTC

Return-Path: <dot@dotat.at>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 74E1812F295 for <doh@ietfa.amsl.com>; Wed, 7 Nov 2018 03:49:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id INbTfUDKZANj for <doh@ietfa.amsl.com>; Wed, 7 Nov 2018 03:48:59 -0800 (PST)
Received: from ppsw-31.csi.cam.ac.uk (ppsw-31.csi.cam.ac.uk []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01064130DDF for <doh@ietf.org>; Wed, 7 Nov 2018 03:48:58 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([]:42808) by ppsw-31.csi.cam.ac.uk (ppsw.cam.ac.uk []:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1gKMKP-000mN7-LN (Exim 4.91) for doh@ietf.org (return-path <dot@dotat.at>); Wed, 07 Nov 2018 11:48:57 +0000
Date: Wed, 7 Nov 2018 11:48:57 +0000
From: Tony Finch <dot@dotat.at>
To: doh@ietf.org
Message-ID: <alpine.DEB.2.20.1811071108370.4343@grey.csi.cam.ac.uk>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/VYnzrRabUiTZghaiDuEUl3yCaEk>
Subject: [Doh] notes on CORS and DoH
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Nov 2018 11:49:09 -0000

I've amended my `doh101` implementation to support cross-origin requests
from browsers.


DoH GET requests count as "simple requests" from the point of view of
CORS, so they do not require any special support on the server to be
available to any web page. However, because query strings are usually
logged by web servers, DoH GET requests have somewhat worse privacy
properties than POST requests. So it seemed to be worth implementing CORS,
so that POST is available wherever GET is.

What I've done is add `Access-Control-Allow-Origin: *` to regular DoH
responses, and I added support for OPTIONS requests which reply with:

   Access-Control-Allow-Origin: *
   Access-Control-Allow-Methods: OPTIONS, HEAD, GET, POST
   Access-Control-Allow-Headers: Content-Type
   Access-Control-Max-Age: 86400

It's roughly in line with what Cloudflare does for
(Except I'm using a longer method list which matches what I return
for 405 method not allowed errors.)

I've had a very brief look at some of the DoH servers listed at
and CORS support seems to be relatively rare.

f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Fisher, German Bight: Southeast 5 to 7, veering south or southwest 4 or 5.
Moderate or rough. Showers. Good occasionally poor.