- From: Mike West <notifications@github.com>
- Date: Tue, 09 Mar 2021 06:11:26 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 9 March 2021 14:11:38 UTC
@yutakahirano: > Will private networks be covered by https://github.com/wicg/private-network-access? Ideally, yes, but that seems somewhat orthogonal to the question here. > Is it reasonable to require CORS preflights for requests to non-allow-listed ports? If we wanted to go this route, I think we could more simply require TLS for non-allowlisted ports. It seems to me that encryption would substantially mitigate the Slipstream style of attack. @MattMenke2: > Given that proxy autoconfig remains enabled by default on Windows, I think we'll likely need to continue using the same blacklist for proxies, in practice. I don't understand the risk here (because I know little to nothing about proxy configuration on Windows). Can a web-based attacker force a user to use a given proxy? That seems bad. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1189#issuecomment-793948745
Received on Tuesday, 9 March 2021 14:11:38 UTC