Re: [Doh] Hackathon javascript client & browser issue

Patrick McManus <pmcmanus@mozilla.com> Sun, 18 March 2018 15:09 UTC

Return-Path: <pmcmanus@mozilla.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B122C126E01 for <doh@ietfa.amsl.com>; Sun, 18 Mar 2018 08:09:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.234
X-Spam-Level:
X-Spam-Status: No, score=-1.234 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zUmfoSTdFYCV for <doh@ietfa.amsl.com>; Sun, 18 Mar 2018 08:09:14 -0700 (PDT)
Received: from linode64.ducksong.com (www.ducksong.com [192.155.95.102]) by ietfa.amsl.com (Postfix) with ESMTP id 8B123126BF7 for <doh@ietf.org>; Sun, 18 Mar 2018 08:09:14 -0700 (PDT)
Received: from mail-oi0-f50.google.com (mail-oi0-f50.google.com [209.85.218.50]) by linode64.ducksong.com (Postfix) with ESMTPSA id C24BB3A021 for <doh@ietf.org>; Sun, 18 Mar 2018 11:09:13 -0400 (EDT)
Received: by mail-oi0-f50.google.com with SMTP id 20so5257271oiq.5 for <doh@ietf.org>; Sun, 18 Mar 2018 08:09:13 -0700 (PDT)
X-Gm-Message-State: AElRT7FtvqfF0nQvWVZRQuFzkyZC1jTeFCkGUN7PCuLUJiVFrwPlH/4w lcmEg3w+KPBE5BgEJhBJe/0jJ6pR6p1SYDkhbdQ=
X-Google-Smtp-Source: AG47ELvH75M5PmEQwZ5WzibLkNyFfqAc3S4e2Xui3goyzeSkqA+hWPlUCRJKpKv2rQQGcEM8ezgqU2fC1sOdP/qDRRI=
X-Received: by 10.202.3.65 with SMTP id 62mr5470809oid.38.1521385753350; Sun, 18 Mar 2018 08:09:13 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.74.66.212 with HTTP; Sun, 18 Mar 2018 08:09:12 -0700 (PDT)
In-Reply-To: <07A79B82-9B30-4BA6-96C8-175707581178@bangj.com>
References: <07A79B82-9B30-4BA6-96C8-175707581178@bangj.com>
From: Patrick McManus <pmcmanus@mozilla.com>
Date: Sun, 18 Mar 2018 15:09:12 +0000
X-Gmail-Original-Message-ID: <CAOdDvNq2V_pVuSs-qKSt01QcphMNoc02qA8D3AHPZLjVFwhh7w@mail.gmail.com>
Message-ID: <CAOdDvNq2V_pVuSs-qKSt01QcphMNoc02qA8D3AHPZLjVFwhh7w@mail.gmail.com>
To: Tom Pusateri <pusateri@bangj.com>
Cc: doh@ietf.org
Content-Type: multipart/alternative; boundary="001a113ba08065212d0567b13930"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/o4_ySRwDHRl8kWjcegY6YyQabGw>
Subject: Re: [Doh] Hackathon javascript client & browser issue
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Mar 2018 15:09:16 -0000

Layers ahoy!

The rules that govern javascript networking are broadly from xhr/fetch/CORS
(non IETF standards) and these apply to javascript using any HTTP API.
There is nothing particular of DoH, but a browser-js implementation of DoH
is subject to them (as would be accessing a published REST API for
example). In the configuration you describe, the HTTP server is indeed
going to need to whitelist the preflight - but neither the preflight
request or response is itself a DoH request/response.Indeed, they are
literally the pre-flight before the DoH flight.

And its a bit of an aside, but I'm pretty happy with this outcome. It means
DNS is accessible from js-content but only subject to the web's existing
Same-Origin/Cross-Origin security model.. which is something that has known
properties.

-P

On Sun, Mar 18, 2018 at 2:10 PM, Tom Pusateri <pusateri@bangj.com>; wrote:

> Working in the hackathon, I created a simple node javascript client to
> test DoH.
>
> https://github.com/pusateri/doh-client
>
> This works fine and then Stéphane asked if it could run in the browser. So
> I did this:
>
> https://github.com/pusateri/doh-webpack
>
> However, when sending a POST to a test server, I am getting a error (400)
> response to an initial pre-flight OPTIONS request.
>
> According to https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#
> Simple_requests
>
> The only content types allowed for a POST are:
>
>         • application/x-www-form-urlencoded
>         • multipart/form-data
>         • text/plain
>
> so a question I have, should the DoH servers respond to a pre-flight
> OPTIONS method or are things working as designed because this shouldn’t be
> allowed to run in a browser?
>
> Thanks,
> Tom
>
>
>
>
> _______________________________________________
> Doh mailing list
> Doh@ietf.org
> https://www.ietf.org/mailman/listinfo/doh
>