W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

Re: [cors] Add 'Range' to simple headers

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 13 Jan 2014 20:18:53 +0000
Message-ID: <CADnb78hC2mcwn7a-n6t8TN9+ofsVrA+kAeUp27hOmK+wOOHR7A@mail.gmail.com>
To: Steven Robertson <strobe@google.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Mon, Jan 13, 2014 at 7:52 PM, Steven Robertson <strobe@google.com> wrote:
> The application I work on is latency-sensitive and uses the Media Source API
> in concert with XHR to download media bytes. In order to avoid the latency
> cost of a preflight to each host in our CDN, we have developed a workaround
> where we use a 'range=' query arg to subset an existing resource. This
> workaround is suboptimal, and we would prefer to use a Range header, but the
> latency impact of the extra request has a significant impact on quality of
> experience.
>
> What are your thoughts regarding the addition of 'Range' as a simple request
> header to allow for this use-case?

So in this scenario you set the Range header yourself using XMLHttpRequest?


It would allow for http://httpd.apache.org/security/CVE-2011-3192.txt
to be carried out in a distributed manner. E.g. evilpopularforum.org
could use it to DDOS goodpopularforum.org or some such. Cannot see
much harm other than that.


-- 
http://annevankesteren.nl/
Received on Monday, 13 January 2014 20:19:21 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC