Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Using alt-svc on localhost #89
Discussed in Prague; add security considerations / non-normative text that this is another form of privilege escalation, and should be taken into account. (both localhost and special use networks / rfc1918). Need to discuss with webappsec as well as security folks in ietf.
Treating rfc1918 as special opens up a can of worms, especially as there is no clear mapping there in the IPv6 world and as other related spaces (rfc6598). We may just generally want to ensure AltSvc can't be used to probe/attack internal hosts behind a firewall regardless of what IP space is present. Due to the async behavior of Alt-Svc and the reliance on cert validation, we may be OK here as long as we don't treat rfc1918 space special (eg, as long as we don't relax cert validation requirements there).