[Bug 20322] Document the force preflight flag from bugzilla@jessica.w3.org on 2013-11-11 (public-webapps-bugzilla@w3.org from November 2013)

From: <bugzilla@jessica.w3.org>
Date: Mon, 11 Nov 2013 21:14:21 +0000
To: public-webapps-bugzilla@w3.org
Message-ID: <bug-20322-2532-gWQqxF73UP@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=20322

--- Comment #5 from Hallvord R. M. Steen <hsteen@mozilla.com> ---
Thanks for explaining this a bit more..

So yeah, why do we need a preflight if XHR sends some data and has registered
upload event listeners? Well, I presume there's a concern about cross-origin
information leakage if some upload event listeners fire. Stuff like intranet
port/host sniffing might be possible?

So we should  add something like:

<p class="note">Firing upload events for cross-origin requests requires a
preflight because otherwise, information about the existence of sites and
services might leak across origins.</p>

..although it also seems feasible to just kill the "upload events flag" and do
it this way:
https://github.com/whatwg/xhr/pull/15

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Monday, 11 November 2013 21:14:23 UTC