W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2009

Re: [XHR2] Upload progress events and simple cross-origin requests

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 28 Sep 2009 09:30:38 -0700
Message-ID: <63df84f0909280930h6723c6b4g629f271bd05762e@mail.gmail.com>
To: Anne van Kesteren <annevk@opera.com>
Cc: Alexey Proskuryakov <ap@webkit.org>, Ian Hickson <ian@hixie.ch>, public-webapps <public-webapps@w3.org>
On Mon, Sep 28, 2009 at 4:57 AM, Anne van Kesteren <annevk@opera.com> wrote:
> Any update on this Jonas?
> On Fri, 20 Mar 2009 13:21:17 +0100, Alexey Proskuryakov <ap@webkit.org>
> wrote:
>> 20.03.2009, в 1:52, Jonas Sicking написал(а):
>>> I don't know how easy it is with current technologies to do this
>>> reliably. Or how big chances are that we can fix those technologies in
>>> the future to not work at all, or at least be less reliable.
>>> If you have that information I can try to bring a case for security
>>> review here.
>> The examples Ian gave all seem reliable to me.
>> Besides, I think that my example with timing of POST requests is quite
>> reliable. It has been repeatedly shown that timing-related checks are
>> incredibly powerful - see e.g.
>> <http://www.daemonology.net/hyperthreading-considered-harmful/ >.
>> A possible counter-argument is that there is more than simple port
>> scanning that we should worry about - with sufficient out of band
>> information, it could be possible to precisely detect operating systems and
>> services on the internal network, see <http://nmap.org/book/osdetect.html >.
>> I doubt that upload progress events provide much above upload timing in this
>> regard, but it might be that they do.

This is a while ago so I'm not sure I fully remember what the exact question is.

I still am of the opinion that we shouldn't send upload progress
events unless a preflight has been done. This is the solution we're
using in Firefox since CORS was implemented in 3.5. If someone is
willing to propose a algorithm for faking progress events in order to
attempt to twart port-scanning then I'd love to bring that to our
security people and see if it's good enough. Until then I don't see
Firefox implementation changing.

Does that answer the question?

/ Jonas
Received on Monday, 28 September 2009 16:31:44 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:19 UTC