W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2009

Re: [XHR2] Upload progress events and simple cross-origin requests

From: Anne van Kesteren <annevk@opera.com>
Date: Mon, 28 Sep 2009 13:57:59 +0200
To: "Alexey Proskuryakov" <ap@webkit.org>, "Jonas Sicking" <jonas@sicking.cc>
Cc: "Ian Hickson" <ian@hixie.ch>, public-webapps <public-webapps@w3.org>
Message-ID: <op.u0yt6xzu64w2qv@annevk-t60>
Any update on this Jonas?

On Fri, 20 Mar 2009 13:21:17 +0100, Alexey Proskuryakov <ap@webkit.org>  
wrote:
> 20.03.2009, в 1:52, Jonas Sicking написал(а):
>
>> I don't know how easy it is with current technologies to do this
>> reliably. Or how big chances are that we can fix those technologies in
>> the future to not work at all, or at least be less reliable.
>>
>> If you have that information I can try to bring a case for security  
>> review here.
>
> The examples Ian gave all seem reliable to me.
>
> Besides, I think that my example with timing of POST requests is quite  
> reliable. It has been repeatedly shown that timing-related checks are  
> incredibly powerful - see e.g.  
> <http://www.daemonology.net/hyperthreading-considered-harmful/ >.
>
> A possible counter-argument is that there is more than simple port  
> scanning that we should worry about - with sufficient out of band  
> information, it could be possible to precisely detect operating systems  
> and services on the internal network, see  
> <http://nmap.org/book/osdetect.html >. I doubt that upload progress  
> events provide much above upload timing in this regard, but it might be  
> that they do.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Monday, 28 September 2009 11:58:42 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:33 GMT