Re: Proposal: add websocket close codes for "server not found" and/or "too many websockets open" from Anne van Kesteren on 2012-05-23 (public-webapps@w3.org from April to June 2012)

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 23 May 2012 09:10:49 +0200
To: Jason Duell <jduell.mcbugs@gmail.com>
Cc: Simon Pieters <simonp@opera.com>, public-webapps@w3.org
Message-ID: <CADnb78j3fJ-XKjiUDQaN=RhzwP=aeOTOU3gb-3vPH4TWBo4GYg@mail.gmail.com>

On Wed, May 23, 2012 at 6:21 AM, Jason Duell <jduell.mcbugs@gmail.com> wrote:
> Could you say more about why a simple "connection not available" would
> be a security problem, Simon?  We already have a code for the special
> case of TLS handshake failing: a code that encompasses every other
> reason why the connection wasn't made doesn't seem obviously risky to
> me (but I'm no security expert)..

The basic idea is to expose as little of cross-origin hosts as
possible, because otherwise your intranet can be mapped. That the
WebSocket API exposes more than XMLHttpRequest and other network
request APIs seems somewhat questionable already. Was that
intentional?

-- 
Anne — Opera Software
http://annevankesteren.nl/
http://www.opera.com/

Received on Wednesday, 23 May 2012 07:11:44 UTC