Changeset 2175


Ignore:
Timestamp:
Jan 30, 2013, 11:15:27 PM (7 years ago)
Author:
martin.thomson@…
Message:

Adding security consideration for pushed resources.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis-http2/latest/draft-ietf-httpbis-http2.xml

    r2174 r2175  
    13671367<t>Pushed resources do not have an associated request.  In order for existing HTTP cache control validations (such as the Vary header) to work, however, all cached resources must have a set of request headers.  For this reason, browsers MUST be careful to inherit request headers from the associated stream for the push.  This includes the 'Cookie' header.</t>
    13681368      </section>
     1369     
     1370<section title="Cacheability of Pushed Resources">
     1371<t>
     1372  Resources that are pushed is possible, based on the guidance provided by the origin server in
     1373  the Cache-Control header field.  However, this can cause issues if a single server hosts more
     1374  than one tenant.  For example, a server might offer multiple users each a small portion of its
     1375  URI space.
     1376</t>
     1377<t>
     1378  Where multiple tenants share space on the same server, that server MUST ensure that tenants
     1379  are not able to push representations of resources that they do not have authority over.
     1380  Failure to enforce this would allow a tenant to provide a representation that would be served
     1381  out of cache, overriding the actual representation that the authoritative tenant provides.
     1382</t>
     1383</section>
    13691384    </section>
    13701385
     
    16321647<section title="Since draft-ietf-httpbis-http2-01" anchor="changes.since.draft-ietf-httpbis-http2-01">
    16331648<t>
    1634   None yet
     1649  Removed per-frame version field.
     1650</t>
     1651<t>
     1652  Altered flow control properties to include session-level limits.
     1653</t>
     1654<t>
     1655  Added note on cacheability of pushed resources and multiple tenant servers.
    16351656</t>
    16361657</section>
Note: See TracChangeset for help on using the changeset viewer.