- From: Tyler Close <tyler.close@gmail.com>
- Date: Wed, 17 Jun 2009 14:35:02 -0700
- To: Anne van Kesteren <annevk@opera.com>
- Cc: Mark Nottingham <mnot@mnot.net>, public-webapps@w3.org
On Wed, Jun 17, 2009 at 1:01 PM, Anne van Kesteren<annevk@opera.com> wrote: > On Wed, 17 Jun 2009 19:45:54 +0200, Tyler Close <tyler.close@gmail.com> > wrote: >> >> I believe the described heuristics provide complete coverage for >> resources behind my company's firewall. Is there a common firewall >> configuration you are concerned about? > > I do not know enough about firewall setups to make an informed comment on > that, but I do not think it is my responsibility to show that your proposal > does not have / has flaws. I suspect the WG's responsibilities are actually broader than that, but... > If you make your proposal a bit more concrete and > manage to convince one or vendors to support it we should definitely > consider it, but until that time this is not much to go by, in my opinion. For those at work, watching the show, here's the beast we're looking for: 1. A firewalled intranet, where servers behind the firewall have routable IP addresses (ie: not 10.*, or 192.168.*) 2. *and* where servers on the Internet are *not* accessed via an HTTP proxy 3. *and* there is a resource on a server behind the firewall that depends solely on connectivity for authentication (if you can get packets to me you're allowed to use me) 4. *and* where this resource does *not* treat GET and POST as equivalent methods 5. *and* where this resource checks that the Content-Type header on a POST request is either "application/x-www-form-urlencoded" or "text/plain" If you find a resource that meets the above criteria, then you've got a resource that may be secure under CORS, but not under my alternate proposal. Do we have any winners? Please ask friends behind other firewalls. --Tyler -- "Waterken News: Capability security on the Web" http://waterken.sourceforge.net/recent.html
Received on Wednesday, 17 June 2009 21:35:38 UTC