W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2009

Re: [XHR2] Upload progress events and simple cross-origin requests

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 29 Sep 2009 15:15:17 +0200
To: "Jonas Sicking" <jonas@sicking.cc>
Cc: "Alexey Proskuryakov" <ap@webkit.org>, "Ian Hickson" <ian@hixie.ch>, public-webapps <public-webapps@w3.org>
Message-ID: <op.u00sfrad64w2qv@annevk-t60>
On Mon, 28 Sep 2009 18:30:38 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
> I still am of the opinion that we shouldn't send upload progress
> events unless a preflight has been done. This is the solution we're
> using in Firefox since CORS was implemented in 3.5. If someone is
> willing to propose a algorithm for faking progress events in order to
> attempt to twart port-scanning then I'd love to bring that to our
> security people and see if it's good enough. Until then I don't see
> Firefox implementation changing.
> Does that answer the question?

No. I thought Ian and Alexey have both given sufficient examples that show  
that the extra protection does not add anything which you would then  
forward to the security people from Mozilla and give us the outcome. Based  
on that and other evaluations we could then decide whether to keep the  
requirement in the specification.

Anne van Kesteren
Received on Tuesday, 29 September 2009 13:16:08 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:19 UTC