W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Re: HTTPbis and the Same Origin Policy

From: Martin J. Dürst <duerst@it.aoyama.ac.jp>
Date: Tue, 01 Dec 2009 13:28:20 +0900
Message-ID: <4B149B64.2070609@it.aoyama.ac.jp>
To: Tyler Close <tyler.close@gmail.com>
CC: Adam Barth <w3c@adambarth.com>, Julian Reschke <julian.reschke@gmx.de>, HTTP Working Group <ietf-http-wg@w3.org>
On 2009/12/01 4:00, Tyler Close wrote:

> Consider a webbot that sends a PUT request to a resource on the
> open Internet, which responds with a 307 to a resource behind the same
> firewall as the webbot. The webbot has essentially punched a hole in
> the firewall.

Yes, the webbot has done this. One has to be very careful when running 
stuff such as webbots, make sure they are either inside or outside the 
firewall, but not both, unless you know exactly what you're doing. This 
not only applies to PUTs, but also to GETs.

On the other hand, if I write (e.g. using libcurl or whatever) a 
"webbot" that periodically checks the balance on one of my bank accounts 
and transfers money from another bank account of mine if the balance on 
the first bank account is low, then I don't see why anybody would want 
to forbid this.

Regards,   Martin.

#-# Martin J. Dürst, Professor, Aoyama Gakuin University
#-# http://www.sw.it.aoyama.ac.jp   mailto:duerst@it.aoyama.ac.jp
Received on Tuesday, 1 December 2009 04:29:24 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:52 UTC