- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 17 Jun 2009 23:19:36 +0000 (UTC)
- To: Tyler Close <tyler.close@gmail.com>
- Cc: Anne van Kesteren <annevk@opera.com>, Mark Nottingham <mnot@mnot.net>, public-webapps@w3.org
On Wed, 17 Jun 2009, Tyler Close wrote: > > > > I believe we have such services at Google, though for obvious reasons > > I wouldn't want to elaborate on that. > > Wow, if you could just confirm their existence, that would do fine. So > this resource acts on PUT or DELETE, or POST of a Content-Type other > than "application/x-www-form-urlencoded" or "text/plain"? And it checks > the Content-Type header? And it doesn't require any user credentials at > all? Connectivity is good enough. What you describe here seems to differ from what you described previously. I don't feel comfortable talking about our internal services, though, so I'd rather not elaborate. > Is there any way a browser could tell a request is being sent to a > server behind your firewall, and not a server on the open Internet? No. > > Is this the propoal to which you refer?: > > > > http://lists.w3.org/Archives/Public/public-webapps/2009AprJun/1011.html > > Yes. This seems to fail for cases that aren't even Intranet cases. Consider for instance a publicly accessible SOAP service that does authentication on an IP address basis only, and relies on checking the Content-Type header to make sure forms can't submit to it. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 17 June 2009 23:20:09 UTC