The ORIGIN HTTP/2 Framemnot@mnot.nethttps://www.mnot.net/Akamai Technologieserik+ietf@nygren.org
General
HTTPThis document specifies the ORIGIN frame for HTTP/2, to indicate what origins are available on a
given connection.HTTP/2 allows clients to coalesce different origins onto the same
connection when certain conditions are met. However, in some cases, a connection is not
usable for a coalesced origin, so the 421 (Misdirected Request) status code () was defined.Using a status code in this manner allows clients to recover from misdirected requests, but at the
penalty of adding latency. To address that, this specification defines a new HTTP/2 frame type,
"ORIGIN", to allow servers to indicate for which origins a connection is usable.Additionally, experience has shown that HTTP/2's requirement to establish server authority using
both DNS and the server's certificate is onerous. This specification relaxes the requirement to
check DNS when the ORIGIN frame is in use. Doing so has additional benefits, such as removing the
latency associated with some DNS lookups.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14
when, and only when, they appear in all capitals, as shown here.
This document defines a new HTTP/2 frame type () called ORIGIN, that allows
a server to indicate what origin(s) the server would like the client to consider as
members of the Origin Set () for the connection within
which it occurs.The ORIGIN frame type is 0xc (decimal 12) and contains zero or more instances of the Origin-Entry
field.An Origin-Entry is a length-delimited string:Specifically:
An unsigned, 16-bit integer indicating the length, in octets, of the ASCII-Origin field.
An OPTIONAL sequence of characters containing the ASCII serialization of an origin () that the sender asserts this connection is or could be authoritative for.The ORIGIN frame does not define any flags. However, future updates to this specification MAY
define flags. See .The ORIGIN frame is a non-critical extension to HTTP/2. Endpoints that do not support this frame
can safely ignore it upon receipt.When received by an implementing client, it is used to initialize and manipulate the Origin Set
(see ), thereby changing how the client establishes authority for origin servers (see
).The ORIGIN frame MUST be sent on stream 0; an ORIGIN frame on any other stream is invalid and MUST
be ignored.Likewise, the ORIGIN frame is only valid on connections with the "h2" protocol identifier or when
specifically nominated by the protocol's definition; it MUST be ignored when received on a
connection with the "h2c" protocol identifier.This specification does not define any flags for the ORIGIN frame, but future updates to this
specification (through IETF consensus) might use them to change its semantics. The first four flags
(0x1, 0x2, 0x4, and 0x8) are reserved for backwards-incompatible changes; therefore, when any of
them are set, the ORIGIN frame containing them MUST be ignored by clients conforming to this
specification, unless the flag's semantics are understood. The remaining flags are reserved for
backwards-compatible changes and do not affect processing by clients conformant to this
specification.The ORIGIN frame describes a property of the connection and therefore is processed hop by hop. An
intermediary MUST NOT forward ORIGIN frames. Clients configured to use a proxy MUST ignore any
ORIGIN frames received from it.Each ASCII-Origin field in the frame's payload MUST be parsed as an ASCII serialization of an
origin (). If parsing fails, the field MUST be ignored.Note that the ORIGIN frame does not support wildcard names (e.g., "*.example.com") in Origin-Entry.
As a result, sending ORIGIN when a wildcard certificate is in use effectively disables any origins
that are not explicitly listed in the ORIGIN frame(s) (when the client understands ORIGIN).See for an illustrative algorithm for processing ORIGIN frames.The set of origins (as per ) that a given connection might be used for is known in this
specification as the Origin Set.By default, the Origin Set for a connection is uninitialized. An uninitialized Origin Set means
that clients apply the coalescing rules from .When an ORIGIN frame is first received and successfully processed by a client, the connection's
Origin Set is defined to contain an initial origin. The initial origin is composed from:Scheme: "https"Host: the value sent in Server Name Indication (SNI) () converted to lower case; if SNI is not present, the remote address of the connection (i.e., the server's IP address)Port: the remote port of the connection (i.e., the server's port)The contents of that ORIGIN frame (and subsequent ones) allow the server to incrementally add new
origins to the Origin Set, as described in .The Origin Set is also affected by the 421 (Misdirected Request) response status code, as defined in
. Upon receipt of a response with this status code, implementing clients
MUST create the ASCII serialization of the corresponding request's origin (as per )
and remove it from the connection's Origin Set, if present.
When sending an ORIGIN frame to a connection that is initialized as an alternative service
, the initial Origin Set () will contain an origin with the appropriate
scheme and hostname (since RFC 7838 specifies that the origin's hostname be sent in SNI). However, it is possible that the port will be different than that of the intended
origin, since the initial Origin Set is calculated using the actual port in use, which can be
different for the alternative service. In this case, the intended origin needs to be sent in
the ORIGIN frame explicitly.For example, a client making requests for "https://example.com" is directed to an alternative
service at ("h2", "x.example.net", "8443"). If this alternative service sends an ORIGIN
frame, the initial origin will be "https://example.com:8443". The client will not be able to
use the alternative service to make requests for "https://example.com" unless that origin is
explicitly included in the ORIGIN frame. uses both DNS and the presented Transport Layer Security (TLS) certificate to establish the origin
server(s) that a connection is authoritative for, just as HTTP/1.1 does in .Furthermore, explicitly allows a connection to be used for more than
one origin server, if it is authoritative. This affects what responses can be considered
authoritative, both for direct responses to requests and for server push (see ).
Indirectly, it also affects what requests will be sent on a connection, since clients will
generally only send requests on connections that they believe to be authoritative for the origin in
question.Once an Origin Set has been initialized for a connection, clients that implement this specification
use it to help determine what the connection is authoritative for. Specifically, such clients MUST
NOT consider a connection to be authoritative for an origin not present in the
Origin Set, and they
SHOULD use the connection for all requests to origins in the Origin Set for which the connection is
authoritative, unless there are operational reasons for opening a new connection.Note that for a connection to be considered authoritative for a given origin, the server is still
required to authenticate with a certificate that passes suitable checks; see
for more information. This includes verifying that the host matches a dNSName value
from the certificate subjectAltName field (using the rules defined in ; see also
).Additionally, clients MAY avoid consulting DNS to establish the connection's authority for new
requests to origins in the Origin Set; however, those that do so face new risks, as explained in
.Because ORIGIN can change the set of origins a connection is used for over time, it is possible
that a client might have more than one viable connection to an origin open at any time. When this
occurs, clients SHOULD NOT emit new requests on any connection whose Origin Set is a proper subset
of another connection's Origin Set, and they SHOULD close it once all outstanding requests are satisfied.The Origin Set is unaffected by any alternative services advertisements made by the
server. Advertising an alternative service does not affect whether a server is authoritative.This specification adds an entry to the "HTTP/2 Frame Type" registry.Frame Type: ORIGINCode: 0xcSpecification: RFC 8336Clients that blindly trust the ORIGIN frame's contents will be vulnerable to a large number of
attacks. See for mitigations.Relaxing the requirement to consult DNS when determining authority for an origin means that an
attacker who possesses a valid certificate no longer needs to be on path to redirect traffic to
them; instead of modifying DNS, they need only convince the user to visit another website in
order to coalesce connections to the target onto their existing connection.As a result, clients opting not to consult DNS ought to employ some alternative means to establish
a high degree of confidence that the certificate is legitimate. For example, clients might skip
consulting DNS only if they receive proof of inclusion in a Certificate Transparency log
or if they have a recent Online Certificate Status Protocol (OCSP) response (possibly using the "status_request"
TLS extension ) showing that the certificate was not revoked.The Origin Set's size is unbounded by this specification and thus could be used by attackers to
exhaust client resources. To mitigate this risk, clients can monitor their state commitment and
close the connection if it is too high.The following algorithm illustrates how a client could handle received ORIGIN frames:If the client is configured to use a proxy for the connection, ignore the frame and stop processing.If the connection is not identified with the "h2" protocol identifier or another protocol that has explicitly opted into this specification, ignore the frame and stop processing.If the frame occurs upon any stream except stream 0, ignore the frame and stop processing.If any of the flags 0x1, 0x2, 0x4, or 0x8 are set, ignore the frame and stop processing.If no previous ORIGIN frame on the connection has reached this step, initialize the Origin Set as per .For each Origin-Entry in the frame payload:
Parse ASCII-Origin as an ASCII serialization of an origin (), and let the result be parsed_origin. If parsing fails, skip to the next Origin&nbhy;Entry.Add parsed_origin to the Origin Set.The ORIGIN frame allows a server to indicate for which origins a given connection ought be used.
The set of origins advertised using this mechanism is under control of the server; servers are not
obligated to use it or to advertise all origins that they might be able to answer a request for.For example, it can be used to inform the client that the connection is to only be used for the
SNI-based origin, by sending an empty ORIGIN frame. Or, a larger number of origins can be indicated
by including a payload.Generally, this information is most useful to send before sending any part of a response that might
initiate a new connection; for example, "Link" response header fields , or links in the response body.Therefore, the ORIGIN frame ought be sent as soon as possible on a connection, ideally before any
HEADERS or PUSH_PROMISE frames.However, if it's desirable to associate a large number of origins with a connection, doing so might
introduce end-user-perceived latency, due to their size. As a result, it might be necessary to
select a "core" set of origins to send initially, and expand the set of origins the connection is
used for with subsequent ORIGIN frames later (e.g., when the connection is idle).That said, senders are encouraged to include as many origins as practical within a single ORIGIN
frame; clients need to make decisions about creating connections on the fly, and if the Origin
Set is split across many frames, their behavior might be suboptimal.Senders take note that, as per , Step 5, of , the values in an ORIGIN header
need to be case-normalized before serialization.Finally, servers that host alternative services will need to explicitly advertise
their origins when sending ORIGIN, because the default contents of the Origin Set (as per )
do not contain any alternative services' origins, even if they have been used previously on the
connection.