IETF Logo Mail Archive

Alt-svc and CORS

Christer Holmberg <christer.holmberg@ericsson.com> Wed, 07 October 2015 07:43 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B4E51A1A1D for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 7 Oct 2015 00:43:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a74VnULv14zp for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 7 Oct 2015 00:43:32 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E538C1A8AA7 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 7 Oct 2015 00:43:31 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1ZjjLJ-0001Dd-3C for ietf-http-wg-dist@listhub.w3.org; Wed, 07 Oct 2015 07:40:53 +0000
Resent-Date: Wed, 07 Oct 2015 07:40:53 +0000
Resent-Message-Id: <E1ZjjLJ-0001Dd-3C@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <christer.holmberg@ericsson.com>) id 1ZjjLE-0001Bo-BT for ietf-http-wg@listhub.w3.org; Wed, 07 Oct 2015 07:40:48 +0000
Received: from sesbmg23.ericsson.net ([193.180.251.37]) by maggie.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.80) (envelope-from <christer.holmberg@ericsson.com>) id 1ZjjL8-0004aB-Bi for ietf-http-wg@w3.org; Wed, 07 Oct 2015 07:40:45 +0000
X-AuditID: c1b4fb25-f79a26d00000149a-f2-5614cc62267e
Received: from ESESSHC014.ericsson.se (Unknown_Domain [153.88.253.124]) by sesbmg23.ericsson.net (Symantec Mail Security) with SMTP id 1C.A1.05274.26CC4165; Wed, 7 Oct 2015 09:40:18 +0200 (CEST)
Received: from ESESSMB209.ericsson.se ([169.254.9.226]) by ESESSHC014.ericsson.se ([153.88.183.60]) with mapi id 14.03.0248.002; Wed, 7 Oct 2015 09:40:17 +0200
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
Thread-Topic: Alt-svc and CORS
Thread-Index: AdEA0tWguIxbd34HTt21y6gJUShY2A==
Date: Wed, 07 Oct 2015 07:40:17 +0000
Message-ID: <7594FB04B1934943A5C02806D1A2204B37B27C46@ESESSMB209.ericsson.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [153.88.183.147]
Content-Type: multipart/alternative; boundary="_000_7594FB04B1934943A5C02806D1A2204B37B27C46ESESSMB209erics_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrGLMWRmVeSWpSXmKPExsUyM+JvjW7SGZEwg46DShaHW2YxOTB6HJ23 nzWAMYrLJiU1J7MstUjfLoEr49bEJuaCeZEVn9tuszYwHvPrYuTkkBAwkVh2/iIzhC0mceHe erYuRi4OIYGjjBKH1r1nh3AWM0rc/70GKMPBwSZgIdH9TxukQURAR6KjZTETiC0sICkx9/A+ Noi4nMSv+98ZIWw9ibk3NoHZLAIqEhMf3wFbxivgK7Fx2iKwXkagxd9PrQGzmQXEJW49mc8E cZCAxJI956GOE5V4+fgfK8gJEgJKEtO2pkGU50v8W7qeBWKkoMTJmU9YJjAKzUIyaRaSsllI yiDiOhILdn9ig7C1JZYtfM0MY5858JgJWXwBI/sqRtHi1OKk3HQjY73Uoszk4uL8PL281JJN jMCIOLjlt+oOxstvHA8xCnAwKvHwJriIhAmxJpYVV+YeYpTmYFES521mehAqJJCeWJKanZpa kFoUX1Sak1p8iJGJg1OqgVFh9vV3baaz31uW6dVv+VTLGuO9K3Ct7eytCgpcnOyNBSvcToXW nJm8qsJ9y93gKd+v6bn8WH2o7nyVkvEL6ZN//Gzv/76q9i5lec0hZsnjaZoJs+fc5Lg3U+NB 2G/NnDw3z28+b19WSjSyZf/4Fnj6tdS/oKcvi3d4nIoP8L0a/a/j1kphK20lluKMREMt5qLi RAAgogZCaQIAAA==
Received-SPF: pass client-ip=193.180.251.37; envelope-from=christer.holmberg@ericsson.com; helo=sesbmg23.ericsson.net
X-W3C-Hub-Spam-Status: No, score=-6.1
X-W3C-Hub-Spam-Report: AWL=0.126, BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1ZjjL8-0004aB-Bi fc105a1314e185c6c05fe76f4b7df292
X-Original-To: ietf-http-wg@w3.org
Subject: Alt-svc and CORS
Archived-At: <http://www.w3.org/mid/7594FB04B1934943A5C02806D1A2204B37B27C46@ESESSMB209.ericsson.se>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/30343
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi,

Assume the following case:


1.       A browser requests a page, index.html, from origin example.com.

2.       The page contains an image resource from pictures.com

3.       A cross origin request for the image is sent to pictures.com. The Origin header value in the request is "example.com".

4.       pictures.com has set its CORS policies to allow access to the image from origin example.com, so it accepts the request and sends a response with the image. The ACAO header value in the response is "example.com".

5.       The browser receives the image, and renders it on the page.

So far so good.

Then, assume that example.com uses Alt-svc, and provides index.html also from duxample.com. Now, assume the following case:


1.       The browser requests index.html from origin duexample.com (based on whatever logic)

2.       The cross origin request for the image is sent to pictures.com

QUESTION #1: When the request for the image is sent to pictures.com, will it contain an Alt-Used header? Note that picture.com is not an alternative service.

QUESTION #2: When the request for the image is sent to pictures.com, what will the value of the Origin header be?


1)      As Alt-svc is not supposed to change/replace the origin, will the header value be "example.com"?; or

2)      Will the header value be "duxample.com"? If so, does that mean that picture.com will not accept the image request, as the CORS policy only gives access to example.com? Would picture.com need to be aware of each alterative service of example.com, and give access to the image to each of the alternative service? That doesn't sound right.

Regards,

Christer

v2.23.0 | Report a Bug | By Email