- From: Alexey Proskuryakov <ap@webkit.org>
- Date: Thu, 19 Mar 2009 10:06:20 +0300
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: public-webapps <public-webapps@w3.org>
19.03.2009, Χ 2:48, Jonas Sicking ΞΑΠΙΣΑΜ(Α): > It can, though potentially not as reliably. And it's also something > we'd like to fix. In other words, port-scanning of intranets isn't > something I'd like to build into the standard. Especially when > protection for it comes at a relatively low cost. Low enough that it's > very doubtful authors will ever notice this. Fair enough. This brings another problem, though: scripts can POST large requests and measure how long it takes. This is quite reliable, too, so forbidding explicit progress events while keeping POST on simple method list doesn't buy much security. In fact, it seems very likely that even timing of preflight requests makes port scans possible, but I don't have any data to support this theory. - WBR, Alexey Proskuryakov
Received on Thursday, 19 March 2009 07:06:57 UTC