Re: [XHR2] Upload progress events and simple cross-origin requests

On Mon, Sep 28, 2009 at 4:57 AM, Anne van Kesteren <annevk@opera.com> wrote:
> Any update on this Jonas?
>
> On Fri, 20 Mar 2009 13:21:17 +0100, Alexey Proskuryakov <ap@webkit.org>
> wrote:
>>
>> 20.03.2009, в 1:52, Jonas Sicking написал(а):
>>
>>> I don't know how easy it is with current technologies to do this
>>> reliably. Or how big chances are that we can fix those technologies in
>>> the future to not work at all, or at least be less reliable.
>>>
>>> If you have that information I can try to bring a case for security
>>> review here.
>>
>> The examples Ian gave all seem reliable to me.
>>
>> Besides, I think that my example with timing of POST requests is quite
>> reliable. It has been repeatedly shown that timing-related checks are
>> incredibly powerful - see e.g.
>> <http://www.daemonology.net/hyperthreading-considered-harmful/ >.
>>
>> A possible counter-argument is that there is more than simple port
>> scanning that we should worry about - with sufficient out of band
>> information, it could be possible to precisely detect operating systems and
>> services on the internal network, see <http://nmap.org/book/osdetect.html >.
>> I doubt that upload progress events provide much above upload timing in this
>> regard, but it might be that they do.

This is a while ago so I'm not sure I fully remember what the exact question is.

I still am of the opinion that we shouldn't send upload progress
events unless a preflight has been done. This is the solution we're
using in Firefox since CORS was implemented in 3.5. If someone is
willing to propose a algorithm for faking progress events in order to
attempt to twart port-scanning then I'd love to bring that to our
security people and see if it's good enough. Until then I don't see
Firefox implementation changing.

Does that answer the question?

/ Jonas

Received on Monday, 28 September 2009 16:31:44 UTC