Grabbing authority for paths closer to the root

[annevk]

It seems that the proposal allows any subresource to essentially claim dictionary authority for /.

• Am I misunderstanding or is that correct?
• If so, can that be abused in some manner?
• If so, this seems inconsistent with how we handled this with, e.g., service workers: https://w3c.github.io/ServiceWorker/#path-restriction.

[pmeenan]

As it stands now, yes. We considered using similar path restrictions but were concerned that it was being over-protective because the abuse (or shoot-yourself-in-the-foot) vectors are very different.

With SW you can intercept other requests and break them or have unintended side-effects.

If you intentionally (or unintentionally) set a dictionary to a path that you don't own and with a path that is more specific than any other dictionaries for the same path, the worst that would happen is you could defeat the use of the other dictionary which is not unlike the capabilities if you used Clear-site-data wrong.

The request on the other path would get a request header with available-dictionary: and a hash that they don't expect and should return the resource using non-dictionary content encoding.

If a site is set up in such a way that it does not fall back to the regular compression in the case of a dictionary miss then it could 404 the resource which could break things but that's potentially a risk when using dictionary compression by itself.

[annevk]

Thanks, it does seem unlikely this would get abused given the conditional request with available-dictionary. It would be good to explain this in the eventual security (background) section I think.

I didn't see it stated, but does the given path have to match the subresource?

[pmeenan]

I'm not sure I understand the question (and I'll submit a PR in a bit to beef up the path expansion, matching and rules shortly).

• The path is relative to the current origin (or the current response path if it doesn't start with /). It can be arbitrary within the origin the dictionary is served from.
• The expanded path is stored with the dictionary but with wildcards intact.
• Future requests are matched against the paths of available dictionaries. If there are more than 1 match then the dictionary with the path with the longest string (most specific) is used.