Re: [Doh] notes on CORS and DoH

Star Brilliant <m13253@hotmail.com> Wed, 07 November 2018 12:23 UTC

Return-Path: <m13253@hotmail.com>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7529D12D4F0 for <doh@ietfa.amsl.com>; Wed, 7 Nov 2018 04:23:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.876
X-Spam-Level:
X-Spam-Status: No, score=-0.876 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SIQnAFXoSqxT for <doh@ietfa.amsl.com>; Wed, 7 Nov 2018 04:23:30 -0800 (PST)
Received: from NAM05-CO1-obe.outbound.protection.outlook.com (mail-co1nam05olkn0810.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe50::810]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6ACF1130E6A for <doh@ietf.org>; Wed, 7 Nov 2018 04:23:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZDkEs74nC5GPSDmMyt8ZchTxxkqNa3lDlMha0KLvOVc=; b=YBP+N55Mb5zMXnHhyCVeO220KfdxXZmB62kReXWOMbnN5v85Kqf6T1Q8tlJfvxQ+tbmjRG3gFwL32y1/DVzxJXoV2rq6ppupZiDrJSadl1WCH2YFDN45bVMk+aYHhZ+qL+hCPwSunUUvXmgl7Y35tEVzrBaIXYDeDPGrfGHBI+Ohiy3dLPV+w+eY/NKQtU7ueHCv5P6kEwZwX17xDa/AdgDRanrUKTSDpwGbOEDRidCHdAaaE/bdVY3ykZfdcWaubeuCq0wBoIb3p4j/xYyz0Tl+ulY+Ct3xsx5k+uuRMwoIYH8TKlJ7GZnPqgsfVCovzv/b4qAAmg7MeC2Pw7Ymig==
Received: from CO1NAM05FT062.eop-nam05.prod.protection.outlook.com (10.152.96.53) by CO1NAM05HT215.eop-nam05.prod.protection.outlook.com (10.152.97.161) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1339.3; Wed, 7 Nov 2018 12:23:28 +0000
Received: from BYAPR19MB2248.namprd19.prod.outlook.com (10.152.96.56) by CO1NAM05FT062.mail.protection.outlook.com (10.152.96.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1339.3 via Frontend Transport; Wed, 7 Nov 2018 12:23:28 +0000
Received: from BYAPR19MB2248.namprd19.prod.outlook.com ([fe80::c46c:9463:1bae:42e5]) by BYAPR19MB2248.namprd19.prod.outlook.com ([fe80::c46c:9463:1bae:42e5%2]) with mapi id 15.20.1294.034; Wed, 7 Nov 2018 12:23:28 +0000
From: Star Brilliant <m13253@hotmail.com>
To: Tony Finch <dot@dotat.at>, "doh@ietf.org" <doh@ietf.org>
Thread-Topic: [Doh] notes on CORS and DoH
Thread-Index: AQHUdo/6Seld3kdaBEW71lr6fOzovaVEPAmx
Date: Wed, 7 Nov 2018 12:23:28 +0000
Message-ID: <BYAPR19MB22488AEB545DD626765BC86694C40@BYAPR19MB2248.namprd19.prod.outlook.com>
References: <alpine.DEB.2.20.1811071108370.4343@grey.csi.cam.ac.uk>
In-Reply-To: <alpine.DEB.2.20.1811071108370.4343@grey.csi.cam.ac.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-incomingtopheadermarker: OriginalChecksum:0352FD9D4C6B0F5DB95F690DD983036DA99C321AAE0C733E10746EF8BCDC17CF; UpperCasedChecksum:206F56651FEABB14D874672E417A4CB78DE4AE1438BC7F257A23C267A7DDAA02; SizeAsReceived:7093; Count:46
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [8p8e5lwq1O1pbN+wwNB8BZiL6ol25bW3KAACOfisFuvf6jBjKA0d6A==]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CO1NAM05HT215; 6:yTtWVOm+VOP1gzY9xnIE3zj1Ava2MUDNlHHJ4q/UQyPK5/3ywxSpMspR4W/6eKmlFHNboQMgqkXcHLu9LZeKZPSsczVTsr5kKUvs4SsylD72QT7KLl3F0CVs3SoU/trjZvT6dOAWSIZ6AMxf8wlbQQO4Qr+RMsgdcXLIw94gKovl5Psp/wnR23iciooqg5k7isS3XkrxrgJTbgsWmphAXQNg0Yy0m1lBF0NqogS+Pn+OFFTYD1+vCF+bnvJUjmrq8Ix3gF0apCzSHIjVU0SjYp6m5i0TF5iKZfxfB13RaPIo+qZSFPn9ZGeaiICAUIQCVg09jo5VPJPJxsPq8tDWUWk9jKPmh7kVuInzbzt8hMSRxCYQZX6qpOC+8frd+7FLYO5W2hhkKGUfXAnzjAyz2U/GcfszkaFrnZtMZBqTTaGw4I0DpzXY4Ywykk5fq7N5znZFX6b8908TaFCrZl60nA==; 5:wEAFx101BRtk8mj3Mrp5XV0YE3RxizdbKFm4LzReMuLN6PZ6mNNiKWtFfKfpwC/Yn27syefqxOLSQ42b23JMY+HTY7Pb5wQ7py0MOila5Q5CTApUJLKvKUwnWvM5YBsbadYad8Ots4ojEM116qN+IgpBeYI981Z6rtYe7sYHGwM=; 7:UCiP+wbwbjApA+wt7V7zU6+ur3ZFmF8uhKius4fteHt1rzodVKfUIkxg/FvGtleptqRgveVKdKUtEyU7zzbGPIwnCsO0R00y1+ZKU4vEF+zCWN/8TfZjnSETh2JMjqUR9KBKHgIZzitC6xkQqvt1Lw==
x-incomingheadercount: 46
x-eopattributedmessage: 0
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(201702061078)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322404)(1601125500)(1603101475)(1701031045); SRVR:CO1NAM05HT215;
x-ms-traffictypediagnostic: CO1NAM05HT215:
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(4566010)(82015058); SRVR:CO1NAM05HT215; BCL:0; PCL:0; RULEID:; SRVR:CO1NAM05HT215;
x-microsoft-antispam-message-info: FBqL0FaThUAckem0IQFfUYFBJbehGBPTtK3sENrshnqFMQeJXkpKRPAbwbsCr5bx
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: hotmail.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: c001924d-3e68-4f40-89c2-901a49278da7
X-MS-Exchange-CrossTenant-Network-Message-Id: a4ec6c8a-0253-4803-b2a5-08d644abd28f
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: c001924d-3e68-4f40-89c2-901a49278da7
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Nov 2018 12:23:28.1472 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1NAM05HT215
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/yx3KLH4Ouaaov2_kwa8kMTHaVm4>
Subject: Re: [Doh] notes on CORS and DoH
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Nov 2018 12:23:32 -0000

On Wed, Nov 7, 2018 at 7:49 PM Tony Finch <dot@dotat.at> wrote:
>
> I've amended my `doh101` implementation to support cross-origin requests
> from browsers.
>
> https://github.com/fanf2/doh101/
>
> DoH GET requests count as "simple requests" from the point of view of
> CORS, so they do not require any special support on the server to be
> available to any web page. However, because query strings are usually
> logged by web servers, DoH GET requests have somewhat worse privacy
> properties than POST requests. So it seemed to be worth implementing CORS,
> so that POST is available wherever GET is.
>
> What I've done is add `Access-Control-Allow-Origin: *` to regular DoH
> responses, and I added support for OPTIONS requests which reply with:
>
>    Access-Control-Allow-Origin: *
>    Access-Control-Allow-Methods: OPTIONS, HEAD, GET, POST
>    Access-Control-Allow-Headers: Content-Type
>    Access-Control-Max-Age: 86400
>
> It's roughly in line with what Cloudflare does for
> https://cloudflare-dns.com/dns-query
> (Except I'm using a longer method list which matches what I return
> for 405 method not allowed errors.)
>
> I've had a very brief look at some of the DoH servers listed at
> https://github.com/curl/curl/wiki/DNS-over-HTTPS#doh-tools
> and CORS support seems to be relatively rare.
>
> Tony.
> --
> f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
> Fisher, German Bight: Southeast 5 to 7, veering south or southwest 4 or 5.
> Moderate or rough. Showers. Good occasionally poor.


Hello Tony,

Thank you for your reminder!

I also amended my implementation [1]. The code is pending to be released before I test it through-out.

I consider there are no security issues with CORS.
But, does the browser-side cache work for a single URL or a whole site? Will it be a problem if a DoH server shares the same hostname with another website?

Best regards,
StarBrilliant

[1]: https://github.com/m13253/dns-over-https/commit/4754aa0414840349dc22a11b954d5f2c8243cf00