On Tue, Jan 19, 2016 at 6:49 PM, Guillaume Rossolini
<
guillaume...@instantluxe.com> wrote:
> I would venture that not anyone should be able to push resources from hosts
> they do not control. This could be controlled by several existing
> technologies, one of them being crossdomain (XML) files, but must assume you
> know of this and I am missing something.
>
For cross domain server push to be useful you'd have to be able to do:
a.com/index.html
-> pushed
b.com/script.js
without making a connection to
b.com to verify that this push was
authorized. (If you're going to connected to
b.com regardless you
might as well just load the script from there.)
> Some part of the responsibility falls to the browser/client, and some other
> part of the responsibility falls to the server.
> Whatever the client asks for, the server does not need to oblige. Of course,
> the reverse is also true: whatever the server sends, the client should feel
> free to ignore.
Well, ok, nothing stops you from doing cross domain server push on the
server end, but any client will drop the pushed resource because
that's what the spec says. If you want to be able to do this here you
need to figure out how to extend the spec to allow this pushing
without making this insecure.
> "once the resource is pushed", it would be available to any resource that
> should have access to it. Is this a problem? With a proper whitelisting or
> filtering mecanism, is it still a danger?
>
What do you mean by a "proper whitelisting and filtering mechanism"?