Re: [XHR2] Upload progress events and simple cross-origin requests from Jonas Sicking on 2009-03-18 (public-webapps@w3.org from January to March 2009)

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 18 Mar 2009 16:48:36 -0700
To: Alexey Proskuryakov <ap@webkit.org>
Cc: public-webapps <public-webapps@w3.org>
Message-ID: <63df84f0903181648s41361cf8k13dea7bb8f9f52a6@mail.gmail.com>

On Wed, Mar 18, 2009 at 1:04 PM, Alexey Proskuryakov <ap@webkit.org> wrote:
> Per the current XHR2 spec draft, upload progress events are not sent if the
> cross-origin request didn't do preflight. What is the rationale behind this
> requirement?
>
> I used to think that this was necessary to prevent port scans of internal
> networks, but that can be done via other mechanisms anyway, as far as I
> know.

It can, though potentially not as reliably. And it's also something
we'd like to fix. In other words, port-scanning of intranets isn't
something I'd like to build into the standard. Especially when
protection for it comes at a relatively low cost. Low enough that it's
very doubtful authors will ever notice this.

/ Jonas

Received on Wednesday, 18 March 2009 23:49:20 UTC