W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: [XHR2] Upload progress events and simple cross-origin requests

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 19 Mar 2009 11:00:36 -0700
Message-ID: <63df84f0903191100s7bd4aa92p912920b6169bd99c@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: Alexey Proskuryakov <ap@webkit.org>, public-webapps <public-webapps@w3.org>
On Thu, Mar 19, 2009 at 12:29 AM, Ian Hickson <ian@hixie.ch> wrote:
> On Thu, 19 Mar 2009, Alexey Proskuryakov wrote:
>>
>> In fact, it seems very likely that even timing of preflight requests
>> makes port scans possible, but I don't have any data to support this
>> theory.
>
> Port scans are already possible with unscripted HTML using <img> elements
> and <meta http-equiv="refresh">, and are certainly already possible with
> <img> elements and onload=""/onerror="" events. We lost this particular
> battle a decade and a half ago when nobody was looking.

While I agree that there are other ways of doing this, I think I'd
have a really hard time selling a feature that explicitly allows port
scanning to our security team. Especially when there is an easy
remedy.

/ Jonas
Received on Thursday, 19 March 2009 18:01:16 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:30 GMT