W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: [XHR2] Upload progress events and simple cross-origin requests

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 19 Mar 2009 15:52:57 -0700
Message-ID: <63df84f0903191552m24280c2fo276c6410acc53d9e@mail.gmail.com>
To: Anne van Kesteren <annevk@opera.com>
Cc: Ian Hickson <ian@hixie.ch>, Alexey Proskuryakov <ap@webkit.org>, public-webapps <public-webapps@w3.org>
On Thu, Mar 19, 2009 at 3:18 PM, Anne van Kesteren <annevk@opera.com> wrote:
> On Thu, 19 Mar 2009 19:00:36 +0100, Jonas Sicking <jonas@sicking.cc> wrote:
>>
>> While I agree that there are other ways of doing this, I think I'd
>> have a really hard time selling a feature that explicitly allows port
>> scanning to our security team. Especially when there is an easy
>> remedy.
>
> Since there are other ways of doing this, who are we helping exactly by
> making things more complicated for developers, implementors, and the
> specification author? Certainly not the user, because he is "vulnerable"
> either way.

I don't know how easy it is with current technologies to do this
reliably. Or how big chances are that we can fix those technologies in
the future to not work at all, or at least be less reliable.

If you have that information I can try to bring a case for security review here.

There's also the argument that we can always relax this requirement in
the future as it would be a compatible change.

/ Jonas
Received on Thursday, 19 March 2009 22:53:33 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:30 GMT