W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: [XHR2] Upload progress events and simple cross-origin requests

From: Alexey Proskuryakov <ap@webkit.org>
Date: Thu, 19 Mar 2009 10:06:20 +0300
Cc: public-webapps <public-webapps@w3.org>
Message-Id: <94D6F6C7-EFF1-4523-8689-F03C7F458EBB@webkit.org>
To: Jonas Sicking <jonas@sicking.cc>

19.03.2009, Χ 2:48, Jonas Sicking ΞΑΠΙΣΑΜ(Α):

> It can, though potentially not as reliably. And it's also something
> we'd like to fix. In other words, port-scanning of intranets isn't
> something I'd like to build into the standard. Especially when
> protection for it comes at a relatively low cost. Low enough that it's
> very doubtful authors will ever notice this.


Fair enough.

This brings another problem, though: scripts can POST large requests  
and measure how long it takes. This is quite reliable, too, so  
forbidding explicit progress events while keeping POST on simple  
method list doesn't buy much security.

In fact, it seems very likely that even timing of preflight requests  
makes port scans possible, but I don't have any data to support this  
theory.

- WBR, Alexey Proskuryakov
Received on Thursday, 19 March 2009 07:06:57 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:30 GMT