The ORIGIN HTTP/2 Framemnot@mnot.nethttps://www.mnot.net/Akamainygren@akamai.comGeneralHTTP Working GroupInternet-DraftThis document specifies the ORIGIN frame for HTTP/2, to indicate what origins are available on a
given connection.Discussion of this draft takes place on the HTTP working group mailing list
(ietf-http-wg@w3.org), which is archived at https://lists.w3.org/Archives/Public/ietf-http-wg/.Working Group information can be found at http://httpwg.github.io/; source
code and issues list for this draft can be found at https://github.com/httpwg/http-extensions/labels/origin-frame.HTTP/2 allows clients to coalesce different origins onto the same
connection when certain conditions are met. However, in certain cases, a connection is is not
usable for a coalesced origin, so the 421 (Misdirected Request) status code (, Section
9.1.2) was defined.Using a status code in this manner allows clients to recover from misdirected requests, but at the
penalty of adding latency. To address that, this specification defines a new HTTP/2 frame type,
“ORIGIN”, to allow servers to indicate what origins a connection is usable for.Additionally, experience has shown that HTTP/2’s requirement to establish server authority using
both DNS and the server’s certificate is onerous. This specification relaxes the requirement to
check DNS when the ORIGIN frame is in use. Doing so has additional benefits, such as removing the
latency associated with some DNS lookups, and improving DNS privacy.The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”,
“RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in
.The ORIGIN HTTP/2 frame (, Section 4) allows a server to indicate what origin(s)
the server would like the client to consider as members of the Origin Set ()
for the connection it occurs within.The ORIGIN frame type is 0xc (decimal 12).The ORIGIN frame’s payload contains the following fields, sets of which may be repeated within the
frame to indicate multiple origins:
An unsigned, 16-bit integer indicating the length, in octets, of the ASCII-Origin field.
An optional sequence of characters containing the ASCII serialization of an origin (, Section 6.2) that the sender believes this connection is or could be authoritative for.The ORIGIN frame does not define any flags. However, future updates to this specification MAY
define flags. See .The ORIGIN frame is a non-critical extension to HTTP/2. Endpoints that do not support this frame
can safely ignore it upon receipt.When received by an implementing client, it is used to initialise and manipulate the Origin Set
(see ), thereby changing how the client establishes authority for origin servers (see
).The origin frame MUST be sent on stream 0; an ORIGIN frame on any other stream is invalid and MUST
be ignored.Likewise, the ORIGIN frame is only valid on connections with the “h2” protocol identifier, or when
specifically nominated by the protocol’s definition; it MUST be ignored when received on a
connection with the “h2c” protocol identifier.This specification does not define any flags for the ORIGIN frame, but future updates might use
them to change its semantics. The first four flags (0x1, 0x2, 0x4 and 0x8) are reserved for
backwards-incompatible changes, and therefore when any of them are set, the ORIGIN frame containing
them MUST be ignored by clients conforming to this specification, unless the flag’s semantics are
understood. The remaining flags are reserved for backwards-compatible changes, and do not affect
processing by clients conformant to this specification.The ORIGIN frame describes a property of the connection, and therefore is processed hop-by-hop. An
intermediary MUST NOT forward ORIGIN frames. Clients configured to use a proxy MUST ignore any
ORIGIN frames received from it.Each ASCII-Origin field in the frame’s payload MUST be parsed as an ASCII serialisation of an
origin (, Section 6.2). If parsing fails, the field MUST be ignored.See for an illustrative algorithm for processing ORIGIN frames.The set of origins (as per ) that a given connection might be used for is known in this
specification as the Origin Set.By default, a connections’s Origin Set is uninitialised. When an ORIGIN frame is first received and
successfully processed by a client, the connection’s Origin Set is defined to contain a single
origin, composed from:Scheme: “https”Host: the value sent in Server Name Indication ( Section 3), converted to lower casePort: the remote port of the connection (i.e., the server’s port)The contents of that ORIGIN frame (and subsequent ones) allows the server to incrementally add new
origins to the Origin Set, as described in .The Origin Set is also affected by the 421 (Misdirected Request) response status code, defined in
Section 9.1.2. Upon receipt of a response with this status code, implementing clients
MUST create the ASCII serialisation of the corresponding request’s origin (as per ,
Section 6.2) and remove it from the connection’s Origin Set, if present., Section 10.1 uses both DNS and the presented TLS certificate to establish the origin
server(s) that a connection is authoritative for, just as HTTP/1.1 does in .
Furthermore, Section 9.1.1 explicitly allows a connection to be used for more than one
origin server, if it is authoritative. This affects what requests can be sent on the connection,
both in HEADERS frame by the client and as PUSH_PROMISE frames from the server.Once an Origin Set has been initialised for a connection, clients that implement this specification
change these behaviors in the following ways:Clients MUST NOT consult DNS to establish the connection’s authority for new requests. The TLS
certificate MUST stil be used to do so, as described in Section 9.1.1.Clients sending a new request SHOULD use an existing connection if the request’s origin is in that connection’s Origin Set, unless there are operational reasons for creating a new connection.Clients MUST use the Origin Set to determine whether a received PUSH_PROMISE is authoritative, as described in , Section 8.2.2.Note that clients are still required to perform checks on the certificate presented by the server
for each origin that a connection is used for; see Section 9.1.1 for more information.
This includes verifying that the host matches a dNSName value from the certificate
subjectAltName field (using the wildcard rules defined in ; see also
Section 4.2.1.6).Because ORIGIN can change the set of origins a connection is used for over time, it is possible
that a client might have more than one viable connection to an origin open at any time. When this
occurs, clients SHOULD not emit new requests on any connection whose Origin Set is a subset of
another connection’s Origin Set, and SHOULD close it once all outstanding requests are satisfied.This specification adds an entry to the “HTTP/2 Frame Type” registry.Frame Type: ORIGINCode: 0xcSpecification: [this document]Clients that blindly trust the ORIGIN frame’s contents will be vulnerable to a large number of
attacks. See for mitigations.Relaxing the requirement to consult DNS when determining authority for an origin means that an
attacker who possesses a valid certificate no longer needs to be on-path to redirect traffic to
them; instead of modifying DNS, they need only convince the user to visit another Web site, in
order to coalesce connections to the target onto their existing connection.Key words for use in RFCs to Indicate Requirement LevelsIn many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.Hypertext Transfer Protocol Version 2 (HTTP/2)This specification describes an optimized expression of the semantics of the Hypertext Transfer Protocol (HTTP), referred to as HTTP version 2 (HTTP/2). HTTP/2 enables a more efficient use of network resources and a reduced perception of latency by introducing header field compression and allowing multiple concurrent exchanges on the same connection. It also introduces unsolicited push of representations from servers to clients.This specification is an alternative to, but does not obsolete, the HTTP/1.1 message syntax. HTTP's existing semantics remain unchanged.The Web Origin ConceptThis document defines the concept of an "origin", which is often used as the scope of authority or privilege by user agents. Typically, user agents isolate content retrieved from different origins to prevent malicious web site operators from interfering with the operation of benign web sites. In addition to outlining the principles that underlie the concept of origin, this document details how to determine the origin of a URI and how to serialize an origin into a string. It also defines an HTTP header field, named "Origin", that indicates which origins are associated with an HTTP request. [STANDARDS-TRACK]Transport Layer Security (TLS) Extensions: Extension DefinitionsThis document provides specifications for existing TLS extensions. It is a companion document for RFC 5246, "The Transport Layer Security (TLS) Protocol Version 1.2". The extensions specified are server_name, max_fragment_length, client_certificate_url, trusted_ca_keys, truncated_hmac, and status_request. [STANDARDS-TRACK]HTTP Over TLSThis memo describes how to use Transport Layer Security (TLS) to secure Hypertext Transfer Protocol (HTTP) connections over the Internet. This memo provides information for the Internet community.Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) ProfileThis memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and RoutingThe Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document provides an overview of HTTP architecture and its associated terminology, defines the "http" and "https" Uniform Resource Identifier (URI) schemes, defines the HTTP/1.1 message syntax and parsing requirements, and describes related security concerns for implementations.Web LinkingThis document specifies relation types for Web links, and defines a registry for them. It also defines the use of such links in HTTP headers with the Link header field. [STANDARDS-TRACK]HTTP Alternative ServicesThis document specifies "Alternative Services" for HTTP, which allow an origin's resources to be authoritatively available at a separate network location, possibly accessed with a different protocol configuration.The following algorithm illustrates how a client could handle received ORIGIN frames:If the client is configured to use a proxy for the connection, ignore the frame and stop processing.If the connection is not identified with the “h2” protocol identifier or another protocol that has explicitly opted into this specification, ignore the frame and stop processing.If the frame occurs upon any stream except stream 0, ignore the frame and stop processing.If any of the flags 0x1, 0x2, 0x4 or 0x8 are set, ignore the frame and stop processing.If no previous ORIGIN frame on the connection has reached this step, initialise the Origin Set as per .For each Origin field origin_raw in the frame payload:
Parse origin_raw as an ASCII serialization of an origin (, Section 6.2) and let the result be parsed_origin. If parsing fails, skip to the next origin_raw.Add parsed_origin to the Origin Set.The ORIGIN frame allows a server to indicate for which origins a given connection ought be used.For example, it can be used to inform the client that the connection is to only be used for the
SNI-based origin, by sending an empty ORIGIN frame. Or, a larger number of origins can be indicated
by including a payload.Generally, this information is most useful to send before sending any part of a response that might
initiate a new connection; for example, Link headers in a response HEADERS, or links
in the response body.Therefore, the ORIGIN frame ought be sent as soon as possible on a connection, ideally before any
HEADERS or PUSH_PROMISE frames.However, if it’s desirable to associate a large number of origins with a connection, doing so might
introduce end-user perceived latency, due to their size. As a result, it might be necessary to
select a “core” set of origins to send initially, expanding the set of origins the connection is
used for with subsequent ORIGIN frames later (e.g., when the connection is idle).That said, senders are encouraged to include as many origins as practical within a single ORIGIN
frame; clients need to make decisions about creating connections on the fly, and if the origin
set is split across many frames, their behaviour might be suboptimal.Senders take note that, as per Section 4, the values in an ORIGIN header need to be
case-normalised before serialisation.Finally, servers that host alternative services will need to explicitly advertise
their origins when sending ORIGIN, because the default contents of the Origin Set (as per )
do not contain any Alternative Services’ origins, even if they have been used previously on the
connection.