IETF Logo Mail Archive

Re: [Wish] Note on cross-origin WISH from browser

Adam Roach <adam@nostrum.com> Thu, 15 July 2021 21:17 UTC

Return-Path: <adam@nostrum.com>
X-Original-To: wish@ietfa.amsl.com
Delivered-To: wish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D68B13A0FCC for <wish@ietfa.amsl.com>; Thu, 15 Jul 2021 14:17:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.678
X-Spam-Level:
X-Spam-Status: No, score=-1.678 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=nostrum.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OYWmm0b1jVYZ for <wish@ietfa.amsl.com>; Thu, 15 Jul 2021 14:17:32 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB6073A0FCA for <Wish@ietf.org>; Thu, 15 Jul 2021 14:17:31 -0700 (PDT)
Received: from Zephyrus.local (76-218-40-253.lightspeed.dllstx.sbcglobal.net [76.218.40.253]) (authenticated bits=0) by nostrum.com (8.16.1/8.16.1) with ESMTPSA id 16FLHO8m065785 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Thu, 15 Jul 2021 16:17:25 -0500 (CDT) (envelope-from adam@nostrum.com)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nostrum.com; s=default; t=1626383846; bh=UcnL4S/UHft2VbIKSy+xNy1Y2uuv7IsF9oi4gZ+u2qc=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=EIyM5s0H+c/pgRH+GcDF2xDAj9J/PbKhTmhx3P7yuhcj+5+6yF++FccyMhVgwqbRU V523yLD+kHhpKR87zGvEeK5qsC//BRtxzomeT9m/1ITP3xgrlkpRWdw8Z6dJFKLRc4 wuFytzlgTHzEWG0yHiC299zZ6ImkVLV8P+eKpCUw=
X-Authentication-Warning: raven.nostrum.com: Host 76-218-40-253.lightspeed.dllstx.sbcglobal.net [76.218.40.253] claimed to be Zephyrus.local
To: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>, Cameron Elliott <garapa1@gmail.com>
Cc: WISH List <Wish@ietf.org>
References: <CAMyc9bXKiRT-Sgata+SN7zMqvg9oRw3OFy=81O02qjv6HNLMAQ@mail.gmail.com> <CA+ag07ZG1raGHA1fPAzp_M_QHDxGXfrdB1arqED298urxT_z-w@mail.gmail.com>
From: Adam Roach <adam@nostrum.com>
Message-ID: <821f8d04-be89-255f-0b45-4f8d0b8a5a8c@nostrum.com>
Date: Thu, 15 Jul 2021 16:17:19 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.11.0
MIME-Version: 1.0
In-Reply-To: <CA+ag07ZG1raGHA1fPAzp_M_QHDxGXfrdB1arqED298urxT_z-w@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------F8A37F910FDA681BB93BAE47"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/wish/4fniO66BvxEArOiL0_MhzIFwoEQ>
Subject: Re: [Wish] Note on cross-origin WISH from browser
X-BeenThere: wish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: WebRTC Ingest Signaling over HTTPS <wish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wish>, <mailto:wish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wish/>
List-Post: <mailto:wish@ietf.org>
List-Help: <mailto:wish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wish>, <mailto:wish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Jul 2021 21:17:38 -0000

For what it's worth, the use of CORS on the web via OPTIONS preflight is 
very common in my experience. I've yet to see a large-scale webapp that 
doesn't make use of it; and I had take for granted that this was the 
approach that WHIP would leverage.

It's probably worth some treatment in the draft, though, for avoidance 
of doubt.

/a

On 7/15/21 12:45, Sergio Garcia Murillo wrote:
> Hi Cameron,
>
> Indeed my intention is that WISH/WHIP works with CORS, and that the 
> HTTP OPTIONS have to be implemented on the server side in order to 
> allow it.
>
> I thought it was common http-knowledge and there was no need to have 
> it covered in the spec. I will add it to the slides for the next 
> meeting to discuss if we should explicitly mention it on the spec or 
> not. Does that make sense?
>
> Best regards
> Sergio
>
> El jue, 15 jul 2021 a las 19:29, Cameron Elliott (<garapa1@gmail.com 
> <mailto:garapa1@gmail.com>>) escribió:
>
>     I discovered something recently about WISH from the browser.
>     (sorry if this has been covered)
>
>
>     Cross-origin (differing domain,scheme or port) WISH POST requests
>     (from the browser) will be blocked,
>     which is expected for cross-origin requests.
>
>     But, what if we want to do cross-origin WISH to permit publishing
>     to different ingress points?
>     (from the browser)
>
>     Cross-origin WISH should be doable by using one of the CORS
>     enablement methods:
>
>     There are two main ways of CORS being permitted:
>     1. With flags to the fetch() method at the browser. ('cors' or
>     'no-cors')
>     <https://developer.mozilla.org/en-US/docs/Web/API/Request/mode#value>
>     2. By the server responding to a a CORS preflight request
>     <https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#preflighted_requests>,
>     which is an HTTP OPTIONS request involving headers exchange.
>
>     Method #1 is NOT available under WISH because WISH doesn't conform
>     to 'simple requests'
>     <https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests> under
>     CORS.
>     Method #1 would be available under WISH if WISH used or allowed
>     'plain/text' for the Content-Type header.
>
>     Method #2 does allow browser-based cross-origin WISH requests when
>     properly implemented at the server,
>     but I would say method #2 is rather unknown (it was to me anyway).
>     I implemented this, and it's not hard,
>     but it is not trivial either, compared to getting traditional POST
>     handling going.
>
>     *Does anyone else think it's worth discussing the loss of WISH
>     browser-side cross-origin request enablement?*
>
>     I personally can envision use-cases for WISH where the browser
>     could send media using WISH
>     to various different cloud ingress points, where cross-origin
>     requests are needed.
>     This won't be possible unless all those cloud ingres points
>     implement correctly the HTTP OPTIONS method
>     for handling a CORS preflight request
>     <https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#preflighted_requests>,
>     AND the proxies and load balancers properly in front of the ingress
>     server properly, cleanly pass the HTTP OPTIONS request and
>     response between client/server,
>     /unless we decide to make tweaks that enable browser-side CORS
>     enablement./
>
>
>     Cameron / Seattle
>
>     -- 
>     Wish mailing list
>     Wish@ietf.org <mailto:Wish@ietf.org>
>     https://www.ietf.org/mailman/listinfo/wish
>
>

v2.8.7 | Report a Bug | By Email