HTTP/2 session reuse does not happen across credentialed and uncredentialed requests
Reported by
pva...@edmunds.com,
Jun 6 2018
|
||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.62 Safari/537.36 Steps to reproduce the problem: 1. Run webpagetest on chrome for url https://www.edmunds.com/porsche/cayenne/2015/vin/WP1AC2A28FLA80581/ 2. See the waterfall after the test 3. Notice that (around step #15) SSL handshake happens again for domain venom-assets.edmunds-media.com. or see the web page test result at https://wpt1.speedcurve.com/details.php?test=180605_MR_77e13277126ef0d5fb933d48f5fb0f7f&run=1 What is the expected behavior? The domain venom-assets.edmunds-media.com is part of the TLS certificate for www.edmunds.com and any calls to it should be trusted after the initial handshake. i.e should happen only once at the beginning. What went wrong? around step #15, SSL handshake happens again for domain venom-assets.edmunds-media.com. The request is for font data https://venom-assets.edmunds-media.com/edmunds-icons.d6c6f44127d52a92cde986b1cbc4bcd9.woff2 Did this work before? N/A Does this work in other browsers? N/A Chrome version: 67.0.3396.62 Channel: stable OS Version: Flash Version: For webpagetest, issue occurs on Android too.
,
Jun 6 2018
Hi David, what does it mean that https://venom-assets.edmunds-media.com/edmunds-icons.d6c6f44127d52a92cde986b1cbc4bcd9.woff2 is uncredentialed? I verified the host has a valid certificate - https://www.ssllabs.com/ssltest/analyze.html?d=venom-assets.edmunds-media.com Also this issue does not seem to happen on IE11 - https://www.webpagetest.org/result/180606_YW_0c71277091e71d5d9676ee146f0e6eb2/3/details/#waterfall_view_step1 Or Firefox - https://www.webpagetest.org/result/180606_39_b3c30d741531113c6e2f700f5ab30f0d/1/details/#waterfall_view_step1
,
Jun 6 2018
Uncredentialed meaning sent without cookies and such (CORS anonymous). I don't know whether other browsers shard that way. Our history here is a little funny.
,
Jun 7 2018
Got it. Would it help if we put the font request on the same origin (www.edmunds.com)? Also, at the risk of digressing a bit but since you mentioned that we connect to a lot of hosts... are there any optimizations you can suggest, wrt to hosts, subdomains or number of requests?
,
Jun 7 2018
So the 'with credentials' aspect is presently spec'ced as https://drafts.csswg.org/css-fonts/#font-fetching-requirements - namely, that it requires the font fetch be made with CORS Anonymous mode. "When fetching, user agents must use "Anonymous" mode," This triggers a separate socket connection. This is documented in https://fetch.spec.whatwg.org/#connections . Changing that is being tracked in https://github.com/whatwg/fetch/issues/341 Changing it to be same-origin will not change that behaviour. You could use preconnect to preconnect in anonymous mode. As David mentioned, we're exploring the possibility of changing that, both in Fetch and implementation, but that's a rather substantial change, and it's blocked on other rather substantial changes, such as Issue 799935. Tagging this as a P-3/Feature request, since it'll also require the spec change
,
Jun 8 2018
,
Jan 15
|
||||
►
Sign in to add a comment |
||||
Comment 1 by davidben@chromium.org
, Jun 6 2018Components: Internals>Network>HTTP2
Status: Untriaged (was: Unconfirmed)
Summary: HTTP/2 session reuse not happen across credentialed and uncredentialed requests (was: SSL handshake renegotiating during Web Page Test)