W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [cors] Review

From: Tyler Close <tyler.close@gmail.com>
Date: Wed, 17 Jun 2009 14:35:02 -0700
Message-ID: <5691356f0906171435i7a377875wdeaca704f8617399@mail.gmail.com>
To: Anne van Kesteren <annevk@opera.com>
Cc: Mark Nottingham <mnot@mnot.net>, public-webapps@w3.org
On Wed, Jun 17, 2009 at 1:01 PM, Anne van Kesteren<annevk@opera.com> wrote:
> On Wed, 17 Jun 2009 19:45:54 +0200, Tyler Close <tyler.close@gmail.com>
> wrote:
>>
>> I believe the described heuristics provide complete coverage for
>> resources behind my company's firewall. Is there a common firewall
>> configuration you are concerned about?
>
> I do not know enough about firewall setups to make an informed comment on
> that, but I do not think it is my responsibility to show that your proposal
> does not have / has flaws.

I suspect the WG's responsibilities are actually broader than that, but...

> If you make your proposal a bit more concrete and
> manage to convince one or vendors to support it we should definitely
> consider it, but until that time this is not much to go by, in my opinion.

For those at work, watching the show, here's the beast we're looking for:

1. A firewalled intranet, where servers behind the firewall have
routable IP addresses (ie: not 10.*, or 192.168.*)
2. *and* where servers on the Internet are *not* accessed via an HTTP proxy
3. *and* there is a resource on a server behind the firewall that
depends solely on connectivity for authentication (if you can get
packets to me you're allowed to use me)
4. *and* where this resource does *not* treat GET and POST as equivalent methods
5. *and* where this resource checks that the Content-Type header on a
POST request is either "application/x-www-form-urlencoded" or
"text/plain"

If you find a resource that meets the above criteria, then you've got
a resource that may be secure under CORS, but not under my alternate
proposal. Do we have any winners? Please ask friends behind other
firewalls.

--Tyler

-- 
"Waterken News: Capability security on the Web"
http://waterken.sourceforge.net/recent.html
Received on Wednesday, 17 June 2009 21:35:38 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT