W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: [XHR2] Upload progress events and simple cross-origin requests

From: Alexey Proskuryakov <ap@webkit.org>
Date: Fri, 20 Mar 2009 15:21:17 +0300
Cc: Anne van Kesteren <annevk@opera.com>, Ian Hickson <ian@hixie.ch>, public-webapps <public-webapps@w3.org>
Message-Id: <55301A90-0EFC-4E8E-853A-6D58B1A28369@webkit.org>
To: Jonas Sicking <jonas@sicking.cc>

20.03.2009, Χ 1:52, Jonas Sicking ΞΑΠΙΣΑΜ(Α):

> I don't know how easy it is with current technologies to do this
> reliably. Or how big chances are that we can fix those technologies in
> the future to not work at all, or at least be less reliable.
> If you have that information I can try to bring a case for security  
> review here.

The examples Ian gave all seem reliable to me.

Besides, I think that my example with timing of POST requests is quite  
reliable. It has been repeatedly shown that timing-related checks are  
incredibly powerful - see e.g. <http://www.daemonology.net/hyperthreading-considered-harmful/ 

A possible counter-argument is that there is more than simple port  
scanning that we should worry about - with sufficient out of band  
information, it could be possible to precisely detect operating  
systems and services on the internal network, see <http://nmap.org/book/osdetect.html 
 >. I doubt that upload progress events provide much above upload  
timing in this regard, but it might be that they do.

- WBR, Alexey Proskuryakov
Received on Friday, 20 March 2009 12:21:54 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:14 UTC