W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2012

Re: Proposal: add websocket close codes for "server not found" and/or "too many websockets open"

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 23 May 2012 09:10:49 +0200
Message-ID: <CADnb78j3fJ-XKjiUDQaN=RhzwP=aeOTOU3gb-3vPH4TWBo4GYg@mail.gmail.com>
To: Jason Duell <jduell.mcbugs@gmail.com>
Cc: Simon Pieters <simonp@opera.com>, public-webapps@w3.org
On Wed, May 23, 2012 at 6:21 AM, Jason Duell <jduell.mcbugs@gmail.com> wrote:
> Could you say more about why a simple "connection not available" would
> be a security problem, Simon?  We already have a code for the special
> case of TLS handshake failing: a code that encompasses every other
> reason why the connection wasn't made doesn't seem obviously risky to
> me (but I'm no security expert)..

The basic idea is to expose as little of cross-origin hosts as
possible, because otherwise your intranet can be mapped. That the
WebSocket API exposes more than XMLHttpRequest and other network
request APIs seems somewhat questionable already. Was that
intentional?


-- 
Anne — Opera Software
http://annevankesteren.nl/
http://www.opera.com/
Received on Wednesday, 23 May 2012 07:11:44 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:52 GMT