Re: [XHR2] Upload progress events and simple cross-origin requests

On Thu, Mar 19, 2009 at 12:29 AM, Ian Hickson <ian@hixie.ch> wrote:
> On Thu, 19 Mar 2009, Alexey Proskuryakov wrote:
>>
>> In fact, it seems very likely that even timing of preflight requests
>> makes port scans possible, but I don't have any data to support this
>> theory.
>
> Port scans are already possible with unscripted HTML using <img> elements
> and <meta http-equiv="refresh">, and are certainly already possible with
> <img> elements and onload=""/onerror="" events. We lost this particular
> battle a decade and a half ago when nobody was looking.

While I agree that there are other ways of doing this, I think I'd
have a really hard time selling a feature that explicitly allows port
scanning to our security team. Especially when there is an easy
remedy.

/ Jonas

Received on Thursday, 19 March 2009 18:01:16 UTC