fetch-h2 icon indicating copy to clipboard operation
fetch-h2 copied to clipboard
verified publisher icon grantila

Use http2.originSet for socket/session re-use

Open grantila opened this issue 8 years ago • 3 comments

As described here: https://nodejs.org/dist/latest-v9.x/docs/api/http2.html#http2_http2session_originset

grantila avatar Apr 09 '18 13:04 grantila

Help on this is welcome, if it's of somewhat importance to anyone.

  • Can the originSet be trusted to use as-is?
  • Does Node.js filter invalid results?
  • Does Node.js check that origins match the TLS origins to not have bad servers pretending to authorize 3rd party origins?

grantila avatar Nov 27 '18 21:11 grantila

it appears that originSet always reports the current origin (servername from the TLS socket). I suspect that it was originally planned to reflect the Origin frame if the spec were to ever land. So currently originSet is not much use in practical use cases.

However, the session.socket.getPeerCertificate().subjectaltname does provide the available SANs on the connected certificate. I would propose that a new ContextOption that allows trusting TLS certificate without DNS lookup (or allow for DNS lookup as an elevated situation)

colinbendell avatar Dec 11 '19 03:12 colinbendell

You can use http2wrapper.Agent. We already use http2-wrapper in Got.

szmarczak avatar Apr 27 '20 18:04 szmarczak