W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2008

ISSUE-4 Re: New Progress Events draft

From: Charles McCathieNevile <chaals@opera.com>
Date: Tue, 21 Oct 2008 12:27:26 +0200
To: "Jonas Sicking" <jonas@sicking.cc>
Cc: "WebApps WG" <public-webapps@w3.org>
Message-ID: <op.ujddz0o0wxe0ny@widsith.orange-hotspot.com>

On Mon, 20 Oct 2008 17:48:07 +0200, Jonas Sicking <jonas@sicking.cc> wrote:

> Charles McCathieNevile wrote:
...
>> http://dev.w3.org/cvsweb/~checkout~/2006/webapi/progress/Progress.html?rev=1.24  
>> you will find a new draft of the progress events spec, for your  
>> delectation...
>
> So the spec says that for HEAD requests the size should include the size  
> of headers. I just realized that this might be a security issue.

Following discussion today, I will change the text to say head content  
*should not* be calculated, for the reason Jonas gives.

cheers

Chaals

> The headers can include the users password, many times in clear text. If  
> a site knows the size of the default headers for a given implementation,  
> it can figure out the size of the users password by subtracting the  
> default size from the size reported from the 'load' event from a HEAD  
> request.

-- 
Charles McCathieNevile  Opera Software, Standards Group
     je parle français -- hablo español -- jeg lærer norsk
http://my.opera.com/chaals       Try Opera: http://www.opera.com
Received on Tuesday, 21 October 2008 10:27:58 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:28 GMT