Alt-svc and CORS

Christer Holmberg <> Wed, 07 October 2015 07:43 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 5B4E51A1A1D for <>; Wed, 7 Oct 2015 00:43:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id a74VnULv14zp for <>; Wed, 7 Oct 2015 00:43:32 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E538C1A8AA7 for <>; Wed, 7 Oct 2015 00:43:31 -0700 (PDT)
Received: from lists by with local (Exim 4.80) (envelope-from <>) id 1ZjjLJ-0001Dd-3C for; Wed, 07 Oct 2015 07:40:53 +0000
Resent-Date: Wed, 07 Oct 2015 07:40:53 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <>) id 1ZjjLE-0001Bo-BT for; Wed, 07 Oct 2015 07:40:48 +0000
Received: from ([]) by with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.80) (envelope-from <>) id 1ZjjL8-0004aB-Bi for; Wed, 07 Oct 2015 07:40:45 +0000
X-AuditID: c1b4fb25-f79a26d00000149a-f2-5614cc62267e
Received: from (Unknown_Domain []) by (Symantec Mail Security) with SMTP id 1C.A1.05274.26CC4165; Wed, 7 Oct 2015 09:40:18 +0200 (CEST)
Received: from ([]) by ([]) with mapi id 14.03.0248.002; Wed, 7 Oct 2015 09:40:17 +0200
From: Christer Holmberg <>
To: HTTP Working Group <>
Thread-Topic: Alt-svc and CORS
Thread-Index: AdEA0tWguIxbd34HTt21y6gJUShY2A==
Date: Wed, 07 Oct 2015 07:40:17 +0000
Message-ID: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_7594FB04B1934943A5C02806D1A2204B37B27C46ESESSMB209erics_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrGLMWRmVeSWpSXmKPExsUyM+JvjW7SGZEwg46DShaHW2YxOTB6HJ23 nzWAMYrLJiU1J7MstUjfLoEr49bEJuaCeZEVn9tuszYwHvPrYuTkkBAwkVh2/iIzhC0mceHe erYuRi4OIYGjjBKH1r1nh3AWM0rc/70GKMPBwSZgIdH9TxukQURAR6KjZTETiC0sICkx9/A+ Noi4nMSv+98ZIWw9ibk3NoHZLAIqEhMf3wFbxivgK7Fx2iKwXkagxd9PrQGzmQXEJW49mc8E cZCAxJI956GOE5V4+fgfK8gJEgJKEtO2pkGU50v8W7qeBWKkoMTJmU9YJjAKzUIyaRaSsllI yiDiOhILdn9ig7C1JZYtfM0MY5858JgJWXwBI/sqRtHi1OKk3HQjY73Uoszk4uL8PL281JJN jMCIOLjlt+oOxstvHA8xCnAwKvHwJriIhAmxJpYVV+YeYpTmYFES521mehAqJJCeWJKanZpa kFoUX1Sak1p8iJGJg1OqgVFh9vV3baaz31uW6dVv+VTLGuO9K3Ct7eytCgpcnOyNBSvcToXW nJm8qsJ9y93gKd+v6bn8WH2o7nyVkvEL6ZN//Gzv/76q9i5lec0hZsnjaZoJs+fc5Lg3U+NB 2G/NnDw3z28+b19WSjSyZf/4Fnj6tdS/oKcvi3d4nIoP8L0a/a/j1kphK20lluKMREMt5qLi RAAgogZCaQIAAA==
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-6.1
X-W3C-Hub-Spam-Report: AWL=0.126, BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: 1ZjjL8-0004aB-Bi fc105a1314e185c6c05fe76f4b7df292
Subject: Alt-svc and CORS
Archived-At: <>
X-Mailing-List: <> archive/latest/30343
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>


Assume the following case:

1.       A browser requests a page, index.html, from origin

2.       The page contains an image resource from

3.       A cross origin request for the image is sent to The Origin header value in the request is "".

4. has set its CORS policies to allow access to the image from origin, so it accepts the request and sends a response with the image. The ACAO header value in the response is "".

5.       The browser receives the image, and renders it on the page.

So far so good.

Then, assume that uses Alt-svc, and provides index.html also from Now, assume the following case:

1.       The browser requests index.html from origin (based on whatever logic)

2.       The cross origin request for the image is sent to

QUESTION #1: When the request for the image is sent to, will it contain an Alt-Used header? Note that is not an alternative service.

QUESTION #2: When the request for the image is sent to, what will the value of the Origin header be?

1)      As Alt-svc is not supposed to change/replace the origin, will the header value be ""?; or

2)      Will the header value be ""? If so, does that mean that will not accept the image request, as the CORS policy only gives access to Would need to be aware of each alterative service of, and give access to the image to each of the alternative service? That doesn't sound right.