- From: sleevi <notifications@github.com>
- Date: Wed, 08 Mar 2017 10:08:33 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/307/285119995@github.com>
> but are not in use for most simple sites, which will use increasingly use HTTPS (defeating other kinds of proxies). I'm not sure I agree with this claim, if only because it's made without data. For example, most simple sites shouldn't run into this problem (therefore, should we only focus on complex sites, which may use this?). But also, even many simple sites do increasingly use intermediate proxies, hosted by the CDN performing the TLS termination on their behalf, which then communicates directly with their resources. Think Akamai or Cloudflare - which seem to be pretty well used at this point :) > browsers typically offer defense-in-depth even when sites could have protected themselves better (case in point: intranets) I'm not sure I agree with this either. Browsers try to ensure the flexibility to afford controls for the site operator to match intent and behaviour, but I don't think they can or do strive to prevent 'misuse' of those controls. I think the scenario you've described, at least as I tried to summarize in https://github.com/whatwg/fetch/issues/307#issuecomment-285116968 , _sounds_ like a misuse of the controls rather than an absence of controls, but I'm trying to make sure I understand the issue fully. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/307#issuecomment-285119995
Received on Wednesday, 8 March 2017 18:09:07 UTC