IETF Logo Mail Archive

[quicwg/base-drafts] Introduce a bit to indicate the server doesn't do IP-based authentication (#1993)

Anne van Kesteren <notifications@github.com> Mon, 12 November 2018 09:53 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9B37130E0C for <quic-issues@ietfa.amsl.com>; Mon, 12 Nov 2018 01:53:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.469
X-Spam-Level:
X-Spam-Status: No, score=-8.469 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FxVmrjYSj8AV for <quic-issues@ietfa.amsl.com>; Mon, 12 Nov 2018 01:53:30 -0800 (PST)
Received: from out-7.smtp.github.com (out-7.smtp.github.com [192.30.252.198]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB7C6130E30 for <quic-issues@ietf.org>; Mon, 12 Nov 2018 01:53:30 -0800 (PST)
Date: Mon, 12 Nov 2018 01:53:29 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1542016410; bh=dYP8NsO/Mdi2O1Y53FQOgYW1GxVDw8A896NJqO8gbSA=; h=Date:From:Reply-To:To:Cc:Subject:List-ID:List-Archive:List-Post: List-Unsubscribe:From; b=GiXV10DAL3id2Dbx6K9+HthhxVt90xJhQKhPlqEW/zmNjEnpLJv8WsNjOUeBc1GC/ ztyxe1yKkABZFOPWo7NlJWZXljdHPQVuyXnfItCcWwroiRghkoIaxhaQ/j9gjyV6US 0+xbllQ/NjueJfd1zO73NI7JPmZ0384y04qEVRss=
From: Anne van Kesteren <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4abc338a374a27feb4cb282a7b350e96cc048220e6a92cf0000000118010f9992a169ce16a1bbee@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/1993@github.com>
Subject: [quicwg/base-drafts] Introduce a bit to indicate the server doesn't do IP-based authentication (#1993)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5be94d99ede7a_2e3b3fed214d45c42322d9"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: annevk
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/oNvJgKMnv_DIlg2gN7cBbNgRtrE>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Nov 2018 09:53:40 -0000

Web browsers have needed to invent a variety of schemes to talk to servers, such as the [CORS protocol](https://fetch.spec.whatwg.org/#http-cors-protocol) for HTTP and WebSocket as some kind of TCP, to avoid allowing `attacker.example` access to IP-authenticated data (e.g., intranets without the best security setup).

It'd be nice if this kind of thing could be done at the base protocol level. This would also allow browsers to expose a QUIC^W??? API to communicate with arbitrary servers that have the relevant bit set. (If such an API saw adoption that might also be a further incentive for middleware to get their act together.)

This would not obviate the need for something like CORS entirely, as requests containing cookies or HTTP authentication data would still require explicit consent, but it would allow browser-based applications to more usefully take part in the ecosystem.

cc @jakearchibald

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/1993

v2.39.1 | Report a Bug | By Email | System Status