- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 13 Jan 2014 20:18:53 +0000
- To: Steven Robertson <strobe@google.com>
- Cc: WebAppSec WG <public-webappsec@w3.org>
On Mon, Jan 13, 2014 at 7:52 PM, Steven Robertson <strobe@google.com> wrote: > The application I work on is latency-sensitive and uses the Media Source API > in concert with XHR to download media bytes. In order to avoid the latency > cost of a preflight to each host in our CDN, we have developed a workaround > where we use a 'range=' query arg to subset an existing resource. This > workaround is suboptimal, and we would prefer to use a Range header, but the > latency impact of the extra request has a significant impact on quality of > experience. > > What are your thoughts regarding the addition of 'Range' as a simple request > header to allow for this use-case? So in this scenario you set the Range header yourself using XMLHttpRequest? It would allow for http://httpd.apache.org/security/CVE-2011-3192.txt to be carried out in a distributed manner. E.g. evilpopularforum.org could use it to DDOS goodpopularforum.org or some such. Cannot see much harm other than that. -- http://annevankesteren.nl/
Received on Monday, 13 January 2014 20:19:21 UTC