Re: Alt-svc and CORS

Julian Reschke <julian.reschke@gmx.de> Wed, 07 October 2015 08:36 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BAC51B2C44 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 7 Oct 2015 01:36:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C-lwOkmi5Rf6 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 7 Oct 2015 01:36:31 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A27921B2C40 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 7 Oct 2015 01:36:31 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Zjk9z-00046P-OK for ietf-http-wg-dist@listhub.w3.org; Wed, 07 Oct 2015 08:33:15 +0000
Resent-Date: Wed, 07 Oct 2015 08:33:15 +0000
Resent-Message-Id: <E1Zjk9z-00046P-OK@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <julian.reschke@gmx.de>) id 1Zjk9w-00045H-SD for ietf-http-wg@listhub.w3.org; Wed, 07 Oct 2015 08:33:12 +0000
Received: from mout.gmx.net ([212.227.17.22]) by maggie.w3.org with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <julian.reschke@gmx.de>) id 1Zjk9q-0006Ti-Ig for ietf-http-wg@w3.org; Wed, 07 Oct 2015 08:33:11 +0000
Received: from [192.168.178.20] ([84.187.63.192]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0Lu7ty-1aicj52V66-011Tgd; Wed, 07 Oct 2015 10:32:37 +0200
To: Christer Holmberg <christer.holmberg@ericsson.com>, HTTP Working Group <ietf-http-wg@w3.org>
References: <7594FB04B1934943A5C02806D1A2204B37B27C46@ESESSMB209.ericsson.se>
From: Julian Reschke <julian.reschke@gmx.de>
Message-ID: <5614D8A3.3060104@gmx.de>
Date: Wed, 07 Oct 2015 10:32:35 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <7594FB04B1934943A5C02806D1A2204B37B27C46@ESESSMB209.ericsson.se>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K0:WRpV1ikgvl8URYyxDfJrIHe7n4HpXANc8WrqNie8nPrMBXazXeg duzev1Rspv4eUomXfiomN4owd7arNssn6eY3dKemuS4oEB55QXU/FsWoecfvKu4Acd8rLZF 3R2chWsb2ogEVkorE74WDE5Wj0nCJncZTXsPuPhMzH+1UhtELlQCglDemRcEw7PF7WS3xnf xJu+4c1N5pBpn4j1FNFKg==
X-UI-Out-Filterresults: notjunk:1;V01:K0:Kz24MMC9UcY=:l7OoQtWbAudXqySMZ5Hi3Q ZBXXTxgA8TlJpa0nq8V9GEfog9nnRZ8pHp0gVbUe4anNDTvNQQNdx+4IG9ftb79YjU/0jsqXT UFkkqB8oYGe8g33DAGkNttHreHEX6AARcWQ+9REW98CPAn67cwSLDo+7J0Lj5wQ5Zn6bJgcE0 hksHbwXiynlE7D8EDPQu+ys9IQ8nf1n4wmAT7p84qCQ+xdXmVsC8TbI9P7tb/yut11jETZL2t 4hMoIzuHT1Md8BRJcPb9aFhEuBMY8fbY1/RwJ5OgXVp8FquN7vYItmqgQclI9/FNr0anQDmlr ImyP0FbMBJcOLAVBv2c97x/ZjLn3dJeixX+y7SJff2cblifhurZUSvem++pLo4ND8WGJyBEmC L1QayYuYxgiFCAXh0DgxFQ0xJW8GdBPzl/h8t8j4mTPjLGwr8f1Km/8RSVEcroJkh7eiR10h/ 2XxASZwn3kOpe+i8wufLgXw9ABEaRaWHGX0C6Z7kO9VLABX7rU0I5HqGnlYP1BKN7+Fzu2ZFl 536GmznGgXnXlwfCqxg/tJuwzwsAuJ68MLIwab9oHskB1Zi8/Hra+o6DDdoktHBHR2tIp3VWv 9RfUlg+pU+dgw84j84O2DLWFMlMWeLQZKBu8FzGK4mLLFhIh6sdoxVyliUSiYYdfmzOQRQzvR gF8TAGdb9XtQTEz/Mpgke9qAPOpX7CO4PywXw6ffV26wtOORooPK4KeJ5cPE68GmYwzLl9C3a tOFE/GDzGa2lGCmNKlMHck3Qh1zT52k8kz4c2jez+qIYXbSeXEbht6K5KA+IHjFS5TgUdiFo9 2GCQhrL
Received-SPF: pass client-ip=212.227.17.22; envelope-from=julian.reschke@gmx.de; helo=mout.gmx.net
X-W3C-Hub-Spam-Status: No, score=-6.5
X-W3C-Hub-Spam-Report: AWL=0.074, BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1Zjk9q-0006Ti-Ig 5957e84ccbefa5a5c3591c4544a7779a
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Alt-svc and CORS
Archived-At: <http://www.w3.org/mid/5614D8A3.3060104@gmx.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/30344
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 2015-10-07 09:40, Christer Holmberg wrote:
> Hi,
>
> Assume the following case:
>
> 1.A browser requests a page, index.html, from origin example.com.
>
> 2.The page contains an image resource from pictures.com
>
> 3.A cross origin request for the image is sent to pictures.com. The
> Origin header value in the request is “example.com”.
>
> 4.pictures.com has set its CORS policies to allow access to the image
> from origin example.com, so it accepts the request and sends a response
> with the image. The ACAO header value in the response is “example.com”.
>
> 5.The browser receives the image, and renders it on the page.
>
> So far so good.
>
> Then, assume that example.com uses Alt-svc, and provides index.html also
> from duxample.com. Now, assume the following case:
>
> 1.The browser requests index.html from origin duexample.com (based on
> whatever logic)
>
> 2.The cross origin request for the image is sent to pictures.com
>
> QUESTION #1: When the request for the image is sent to pictures.com,
> will it contain an Alt-Used header? Note that picture.com is not an
> alternative service.

My understanding is that the header field should not be sent. We 
currently say in 
<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-alt-svc-latest.html#rfc.section.5.p.3>:

"When using an alternative service, clients SHOULD include a Alt-Used 
header field in all requests."

Maybe change this to

"When using an alternative service, clients SHOULD include a Alt-Used 
header field in all requests sent to that service."?

> QUESTION #2: When the request for the image is sent to pictures.com,
> what will the value of the Origin header be?
>
> 1)As Alt-svc is not supposed to change/replace the origin, will the
> header value be “example.com”?; or
>
> 2)Will the header value be “duxample.com”? If so, does that mean that
> picture.com will not accept the image request, as the CORS policy only
> gives access to example.com? Would picture.com need to be aware of each
> alterative service of example.com, and give access to the image to each
> of the alternative service? That doesn’t sound right.

Yes, it would be 1).


We currently say in 
<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-alt-svc-latest.html#rfc.section.2.p.4>:

"Alternative services do not replace or change the origin for any given 
resource; in general, they are not visible to the software "above" the 
access mechanism. The alternative service is essentially alternative 
routing information that can also be used to reach the origin in the 
same way that DNS CNAME or SRV records define routing information at the 
name resolution level. Each origin maps to a set of these routes — the 
default route is derived from thr origin itself and the other routes are 
introduced based on alternative-protocol information."

Isn't that sufficient?

Best regards, Julian