Re: [XHR2] Upload progress events and simple cross-origin requests

19.03.2009, Χ 2:48, Jonas Sicking ΞΑΠΙΣΑΜ(Α):

> It can, though potentially not as reliably. And it's also something
> we'd like to fix. In other words, port-scanning of intranets isn't
> something I'd like to build into the standard. Especially when
> protection for it comes at a relatively low cost. Low enough that it's
> very doubtful authors will ever notice this.

Fair enough.

This brings another problem, though: scripts can POST large requests  
and measure how long it takes. This is quite reliable, too, so  
forbidding explicit progress events while keeping POST on simple  
method list doesn't buy much security.

In fact, it seems very likely that even timing of preflight requests  
makes port scans possible, but I don't have any data to support this  

- WBR, Alexey Proskuryakov

Received on Thursday, 19 March 2009 07:06:57 UTC