A number of folks got together earlier this week to talk about cross-origin server push in H2 and QUIC. Here's some notes.
Background
Both H2 and QUIC allow connection pooling when domains are covered by the same certificate. For example, if a certificate for the connection is for *.
example.com, requests to both
a.example.com and
b.example.com can be handled by the same connection. Certificates can also support more disjoint domains like
a.example.com and
www.bentzel.net.
With the latter example, it's possible that a PUSH_PROMISE for
www.bentzel.net/foo.webp could be created that is associated with a request for
a.example.com/index.html. A common case where this could happen is when the H2 connection is terminated by a reverse proxy that supports multiple backends. The initial client-issued request for
a.example.com/index.html would have an an :authority for
a.example.com and the reverse proxy would route to the appropriate backend server. In the response, it could provide a Link: rel=preload hint for
www.bentzel.net/foo.webp. Since the connection to the reverse proxy can also cover
www.bentzel.net, the reverse proxy converts the preload hint to a PUSH_PROMISE (and PUSH).
Concerns
There were two classes of concerns around this:
- Are there fundamental protocol issues, like bypassing CORS checks?
- Are there practical issues, like www.example.com being able to push actual responses for www.bentzel.net, even though it has no authority.
There was general belief that there were no fundamental issues. For example, CORS preflight checks would not be done at the time the response is pushed, but would be issued prior to being able to use the pushed response.
The practical issues were more of a concern. The HTTP/2 RFC includes a
section covering multi-tenant servers and PUSH. However, we don't know whether this is an actual bug on reverse proxies now, especially since this is fairly new and subtle behavior.
Steps Forward
There were two proposals to gather more information:
- Do a survey of common reverse proxies and see if this is actually a problem.
- Understand if people currently want to do cross-origin push to see if it's a benefit.
The main question is whether we start conservative and disable cross-origin push until we are more confident that there is not a problem, or whether we allow cross-origin push and then remove support if there's a demonstrated attack. Removing support will not break sites, it will simply mean that cross-origin pushes are rejected and potentially have some performance impact.