Re: [Doh] notes on CORS and DoH

Patrick McManus <mcmanus@ducksong.com> Thu, 08 November 2018 01:20 UTC

Return-Path: <mcmanus@ducksong.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4584D130E76 for <doh@ietfa.amsl.com>; Wed, 7 Nov 2018 17:20:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.988
X-Spam-Level:
X-Spam-Status: No, score=-1.988 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ducksong.com header.b=a2Ig32H/; dkim=pass (2048-bit key) header.d=outbound.mailhop.org header.b=LmaMmH5+
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fHoQLeOnhEA9 for <doh@ietfa.amsl.com>; Wed, 7 Nov 2018 17:20:39 -0800 (PST)
Received: from outbound1a.ore.mailhop.org (outbound1a.ore.mailhop.org [54.213.22.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0906D130E8D for <doh@ietf.org>; Wed, 7 Nov 2018 17:20:39 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1541640038; cv=none; d=outbound.mailhop.org; s=arc-outbound20181012; b=E9VfC4fDNbJCihd3lmYY7N2eqgYyFQj8UDKghUNm5VkefM71yBSKcWEAh0eY857sFQs4/+Zjc+Esp XTsj7S2bTsh8YLE6dJN+QqU8XvraIExnfekc3Ti56koWyP2MfkTdtnuIjVTQ5TY1iBbUnoICO5PcZd k5kC5Lg8Yq+jlKSun9fSI/iDWTWT6JxTDxNBdPOGaLeqeJ1H8ZgnzMxGdduGhb0OMcL19+OmM7Flq5 UAOnPHFSoEAY1p0cd50wgi/DAZuOLaSsAuJ7a6/V73bBt2rMo+NheCBp2vvNYgxp1pnCEbR+Pb30pr +WA+J6N9UpFyWm5l+iY27IO+iSqjKXg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=arc-outbound20181012; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:dkim-signature:dkim-signature:from; bh=2/DZ36PjKX6IUBaDt3SraPp7PBKB2C174P/AuyxvWVE=; b=OcKd9QHyZEYWC3ZnA24bv7dF846cfQwCcsAOz6YEmkwKlRCVUuhIK0I4kGn5ADZ/40rOdqWkFEg+v B3pfNS2b6ZqQYIUm65OTa53CiS2wOoubI4qbOjkmUBZYCmwFaTm4D1/GTmW2PRQrYCY0B+zQsEwFNj pGRrnGB5EV/h2Tec7vtLl2r9hwSFh8d4nWB3pSR8PzNlMeGBC2UhTGL2T6NBdutJoQHmYXVzKfrqWX HEFJrj7j6NJU1kOA8uXuGYOHq0+d7QLuZ+3uJwjMPt80rvuaQsSV+Ng5CKCJMOcTUBGCIlXHgmfKZ6 krPuPit8amHbKIutk0VwGGfYXYWcJFA==
ARC-Authentication-Results: i=1; outbound1.ore.mailhop.org; spf=pass smtp.mailfrom=ducksong.com smtp.remote-ip=209.85.210.42; dmarc=none header.from=ducksong.com; arc=none header.oldest-pass=0;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ducksong.com; s=duo-1537391512170-ea99bbb3; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:from; bh=2/DZ36PjKX6IUBaDt3SraPp7PBKB2C174P/AuyxvWVE=; b=a2Ig32H/SuLNK/VRV2JN+avyPLR/cgaimNvtRHdkpNEN1oZ3qaVIjOTDfCOwULNigFwAIMyfmPeD6 0PNL6Chv8x1EF2uC5OVjlzjSCzwCYXohaBzpk69vtabj3o4bgBnhbd1t8uRjdBsh7BC8arK8lEXv1i uQE0xUxytsXEnlb0=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outbound.mailhop.org; s=dkim-high; h=content-type:cc:to:subject:message-id:date:from:in-reply-to:references: mime-version:from; bh=2/DZ36PjKX6IUBaDt3SraPp7PBKB2C174P/AuyxvWVE=; b=LmaMmH5+NvVDPsuPwpCEO9q7Vq1Dbs5Jo59LWMH02kPAmtZvuvYTB2mKJj67j/U79yDEnUll/DGTy tV+zAvf4lf/mrNB4O8iDS7scoRFBwVe631OtZNMyB8jLK5JGucgwIcEjQAkp5OnTj/lZOE4QZiVZX0 8P40Xu7bfRDEBGS0ZkSl8l9t1irooKIsX+PHrlZ8zXQ3bLYVKmuq579y8wQWTf+U707uSuu7UKw/Os dWqf4TWoV47lSNa1oVZ8aXNwiAOe+PglwOTSmfGe2nyoA9fQe/lYaS83sMeTsgVgs3qrGKUi/nP3i6 99qEQNu5LfJYSBmKtbCHT5UKsufqprQ==
X-MHO-RoutePath: bWNtYW51cw==
X-MHO-User: 7f56b5df-e2f4-11e8-a93b-310333596487
X-Report-Abuse-To: https://support.duocircle.com/support/solutions/articles/5000540958-duocircle-standard-smtp-abuse-information
X-Originating-IP: 209.85.210.42
X-Mail-Handler: DuoCircle Outbound SMTP
Received: from mail-ot1-f42.google.com (unknown [209.85.210.42]) by outbound1.ore.mailhop.org (Halon) with ESMTPSA id 7f56b5df-e2f4-11e8-a93b-310333596487; Thu, 08 Nov 2018 01:20:37 +0000 (UTC)
Received: by mail-ot1-f42.google.com with SMTP id k9so16660728otl.10 for <doh@ietf.org>; Wed, 07 Nov 2018 17:20:37 -0800 (PST)
X-Gm-Message-State: AGRZ1gK/1D2opcMKj0w798EcCqaZF8bTyEQ8yi+3kRbNIaP/4Lpl0ukW 3qmVkQvs96O60GMV3bEks4WnT87jyKtmUJAQQ2A=
X-Google-Smtp-Source: AJdET5cyZudIGsEzKozL2u9gXq9Napd7oYDIsenm5BCYX/P7N+kvieFwRy8kj7sthwFAlXJ+h57G59E8VIuK8G41kIA=
X-Received: by 2002:a9d:7654:: with SMTP id o20mr576814otl.295.1541640036911; Wed, 07 Nov 2018 17:20:36 -0800 (PST)
MIME-Version: 1.0
References: <alpine.DEB.2.20.1811071108370.4343@grey.csi.cam.ac.uk> <BYAPR19MB22488AEB545DD626765BC86694C40@BYAPR19MB2248.namprd19.prod.outlook.com>
In-Reply-To: <BYAPR19MB22488AEB545DD626765BC86694C40@BYAPR19MB2248.namprd19.prod.outlook.com>
From: Patrick McManus <mcmanus@ducksong.com>
Date: Thu, 8 Nov 2018 08:20:23 +0700
X-Gmail-Original-Message-ID: <CAOdDvNoi_4xVQaeDo-FGLx04uea3m5LhwxcX4Xie0nSExTVD1A@mail.gmail.com>
Message-ID: <CAOdDvNoi_4xVQaeDo-FGLx04uea3m5LhwxcX4Xie0nSExTVD1A@mail.gmail.com>
To: Star Brilliant <m13253@hotmail.com>
Cc: Tony Finch <dot@dotat.at>, DoH WG <doh@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c59080057a1d0afe"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/c49WKmZAzReR9NWQrV6vj8xFlUw>
Subject: Re: [Doh] notes on CORS and DoH
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Nov 2018 01:20:50 -0000

>
> I consider there are no security issues with CORS.
> But, does the browser-side cache work for a single URL or a whole site?


cors granularity is a little finer than per url (you salt the url with
credentials, method, etc..)


> Will it be a problem if a DoH server shares the same hostname with another
> website?
>

not for cors, and generally not at all. There's nothing wrong with multiple
doh servers (with multiple resoltuion policies) sharing the same origin.

There are a couple things that apply site-wide in http, but very few. (hsts
for example.)


>
> Best regards,
> StarBrilliant
>
> [1]:
> https://github.com/m13253/dns-over-https/commit/4754aa0414840349dc22a11b954d5f2c8243cf00
> _______________________________________________
> Doh mailing list
> Doh@ietf.org
> https://www.ietf.org/mailman/listinfo/doh
>
>