- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 23 May 2012 09:10:49 +0200
- To: Jason Duell <jduell.mcbugs@gmail.com>
- Cc: Simon Pieters <simonp@opera.com>, public-webapps@w3.org
On Wed, May 23, 2012 at 6:21 AM, Jason Duell <jduell.mcbugs@gmail.com> wrote: > Could you say more about why a simple "connection not available" would > be a security problem, Simon? We already have a code for the special > case of TLS handshake failing: a code that encompasses every other > reason why the connection wasn't made doesn't seem obviously risky to > me (but I'm no security expert).. The basic idea is to expose as little of cross-origin hosts as possible, because otherwise your intranet can be mapped. That the WebSocket API exposes more than XMLHttpRequest and other network request APIs seems somewhat questionable already. Was that intentional? -- Anne — Opera Software http://annevankesteren.nl/ http://www.opera.com/
Received on Wednesday, 23 May 2012 07:11:44 UTC