- From: Ian Hickson <ian@hixie.ch>
- Date: Fri, 20 Jul 2012 20:22:27 +0000 (UTC)
- To: Henry Story <henry.story@bblfish.net>
- cc: "Tab Atkins Jr." <jackalmage@gmail.com>, Adam Barth <w3c@adambarth.com>, Cameron Jones <cmhjones@gmail.com>, Anne van Kesteren <annevk@annevk.nl>, public-webapps <public-webapps@w3.org>, public-webappsec@w3.org
On Fri, 20 Jul 2012, Henry Story wrote: > > How many of those would use ip addresses that are not standard private > ip addresses? (Because if they do, then they would not be affected). Of > those that do not, would IPV6 offer them a scheme where they could > easily use standard private ip addresses? I think you're missing the point, which is that Web browser implementors are not willing to risk breaking any such deployments, however convoluted that makes the resulting technology. If you want a technology to be implemented, you have to consider implementators' constraints as hard constraints on your designs. In this case, the constraint is that they will not implement anything that increases the potential attack surface area, whether or not the potentially vulnerable deployed services are designed sanely or not. Once you realise that this is a hard constraint, questions such as yours above are obviously moot. HTH, -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 20 July 2012 20:22:52 UTC