- From: Jonas Sicking <jonas@sicking.cc>
- Date: Thu, 19 Mar 2009 11:00:36 -0700
- To: Ian Hickson <ian@hixie.ch>
- Cc: Alexey Proskuryakov <ap@webkit.org>, public-webapps <public-webapps@w3.org>
On Thu, Mar 19, 2009 at 12:29 AM, Ian Hickson <ian@hixie.ch> wrote: > On Thu, 19 Mar 2009, Alexey Proskuryakov wrote: >> >> In fact, it seems very likely that even timing of preflight requests >> makes port scans possible, but I don't have any data to support this >> theory. > > Port scans are already possible with unscripted HTML using <img> elements > and <meta http-equiv="refresh">, and are certainly already possible with > <img> elements and onload=""/onerror="" events. We lost this particular > battle a decade and a half ago when nobody was looking. While I agree that there are other ways of doing this, I think I'd have a really hard time selling a feature that explicitly allows port scanning to our security team. Especially when there is an easy remedy. / Jonas
Received on Thursday, 19 March 2009 18:01:16 UTC