Re: [XHR2] Upload progress events and simple cross-origin requests

Any update on this Jonas?

On Fri, 20 Mar 2009 13:21:17 +0100, Alexey Proskuryakov <>  
> 20.03.2009, в 1:52, Jonas Sicking написал(а):
>> I don't know how easy it is with current technologies to do this
>> reliably. Or how big chances are that we can fix those technologies in
>> the future to not work at all, or at least be less reliable.
>> If you have that information I can try to bring a case for security  
>> review here.
> The examples Ian gave all seem reliable to me.
> Besides, I think that my example with timing of POST requests is quite  
> reliable. It has been repeatedly shown that timing-related checks are  
> incredibly powerful - see e.g.  
> < >.
> A possible counter-argument is that there is more than simple port  
> scanning that we should worry about - with sufficient out of band  
> information, it could be possible to precisely detect operating systems  
> and services on the internal network, see  
> < >. I doubt that upload progress  
> events provide much above upload timing in this regard, but it might be  
> that they do.

Anne van Kesteren

Received on Monday, 28 September 2009 11:58:42 UTC