Skip to content

Commit

Permalink
more HTTPS getout clause
Browse files Browse the repository at this point in the history
  • Loading branch information
@mnot
mnot committed Feb 2, 2017
1 parent 91b2a4e commit 227694d
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion draft-ietf-httpbis-origin-frame.md
View file
Expand Up @@ -195,7 +195,7 @@ order to coalesce connections to the target onto their existing connection.
The following algorithm illustrates how a client could handle received ORIGIN frames:

1. If the client is configured to use a proxy for the connection, ignore the frame and stop processing.
2. If the connection is not running under TLS or does not present Server Name Indication (SNI) {{!RFC6006}}, ignore the frame and stop processing.
2. If the connection is not running under TLS, does not present Server Name Indication (SNI) {{!RFC6006}}, or the connection does not otherwise meet the requirements set by standards or the client implementation, ignore the frame and stop processing.

This comment has been minimized.

Sign in to view

Copy link
@martinthomson

martinthomson Feb 2, 2017

Contributor

I'm sure that you're enjoying this as much as I am. I'm sorry for being a huge pedant^WPITA, but this isn't right.

This is a non-statement: SNI is mandatory in HTTP/2 and if the connection isn't up to snuff, it will never reach the point that an ORIGIN frame can be received.

I think that you need to change step 4.3 below. Maybe:

If the certificate presented by the server is not valid for the host of parsed_origin, skip to the next origin_raw. The certificate presented by the server is valid for host if it passes the checks that the client would perform when forming a new TLS connection to the origin. This includes verifying that the host matches a dNSName value from the certificate subjectAltName field (using the wildcard rules defined in {{!RFC2818}}).

We had a pretty bad bug in Firefox because we performed one set of checks for Alt-Svc, but failed to perform some fairly critical checks. I don't want to see a repeat of that.

This comment has been minimized.

Sign in to view

Copy link
@mnot

mnot Feb 2, 2017

Author Member

It's a non-normative section, but OK.
3. If the frame occurs upon any stream except stream 0, ignore the frame and stop processing.
4. For each Origin field `origin_raw` in the frame payload:
1. Parse `origin_raw` as an ASCII serialization of an origin ({{!RFC6454}}, Section 6.2) and let the result be `parsed_origin`. If parsing fails, skip to the next `origin_raw`.
Expand Down

0 comments on commit 227694d

Please sign in to comment.