- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 29 Sep 2009 15:15:17 +0200
- To: "Jonas Sicking" <jonas@sicking.cc>
- Cc: "Alexey Proskuryakov" <ap@webkit.org>, "Ian Hickson" <ian@hixie.ch>, public-webapps <public-webapps@w3.org>
On Mon, 28 Sep 2009 18:30:38 +0200, Jonas Sicking <jonas@sicking.cc> wrote: > I still am of the opinion that we shouldn't send upload progress > events unless a preflight has been done. This is the solution we're > using in Firefox since CORS was implemented in 3.5. If someone is > willing to propose a algorithm for faking progress events in order to > attempt to twart port-scanning then I'd love to bring that to our > security people and see if it's good enough. Until then I don't see > Firefox implementation changing. > > Does that answer the question? No. I thought Ian and Alexey have both given sufficient examples that show that the extra protection does not add anything which you would then forward to the security people from Mozilla and give us the outcome. Based on that and other evaluations we could then decide whether to keep the requirement in the specification. -- Anne van Kesteren http://annevankesteren.nl/
Received on Tuesday, 29 September 2009 13:16:08 UTC