Alt-Svc header host restriction

[mnot]

When we were originally working on Alt-Svc, Patrick and I put a restriction on the Alt-Svc header field so that it couldn’t redirect clients to a different host.

Since then, several people have pointed out that the requirement to have strong server authentication, as well as cache flushing, seems to contain the risk associated with doing this, and that the facility could be quite useful.

So, I’m suggesting we (re-) add the capability to the header.

[mnot]

Discussed in NYC; do it.

[reschke]

Two questions:

1. the text around the ALTSVC frame currently talks about IDNA; I assume the same considerations would apply for the header field once we include the host, right?

2. if we change the value from port to host:port we'll have to allow quoted-string syntax as well (because of the ":"), right?

[martinthomson]

Yes, IDNA restrictions apply equally (to bother or neither). The colon sucks, if you want a consistent grammar. (I suppose Host is an exception in that regard.)

[reschke]

On 2014-06-10 01:32, Martin Thomson wrote:

Yes, IDNA restrictions apply equally (to bother or neither). The colon
sucks, if you want a consistent grammar. (I suppose Host is an exception
in that regard.)

We already require understanding of quoted-string when processing the
parameters, so I'll stick to the colon and make the value
token/quoted-string.

Best regards, Julian

[enygren]

Do we need to clarify whether IP addresses (IPv4 and/or IPv6) are or are not allowed?
If so, for the IPv6 case are the square brackets required and do the colons need to be escaped?

[reschke]

The intent is to allow exactly what's allowed in an HTTP Host header field, which includes IP addresses.

See http://greenbytes.de/tech/webdav/rfc3986.html#host

So yes, IPv6 addresses would require square brackets. And no, colons would not need any additional escaping.

[reschke]

Still need to explain what checks need to be done when switching hosts; see http://lists.w3.org/Archives/Public/ietf-http-wg/2014AprJun/1232.html