- From: Kornel Lesinski <kornel@ldreams.net>
- Date: Thu, 26 May 2005 22:38:33 +0100
On Thu, 26 May 2005 21:30:18 +0100, Charles Iliya Krempeaux
<supercanadian at gmail.com> wrote:
>> To have your own connections you'd have to use other port than 80 and
>> that may be disallowed on many restricted systems.
>
> Could you please elaborate on this.
Clients that have many blocked ports on firewall - for example to block
P2P inside school networks.
>> If user navigates to the next page, browser will destroy your JS objects
>> and close their connections.
> I don't really see this as a problem. A web application would be "one
> page" (with possibly other pages embedded in it).
You're right.
>> Even if connections are limited to the same host, you couldn't safely
>> serve anything else on it. Spammers might use numerous HTML-injection
>> techniques to send spam using other people's computers, and this may get
>> much worse if host restriction fails.
> Could you please elaborate on this.
Let's say there's website
example.com/page.php?name=John
that prints
Hello "John"!
On your website, if you create iframe with URL:
example.com/page.php?name=<script>connectPort(25).send("HELO...SPAM...SPAM");</script>
every visitor will send spam using example.com server.
On a second thought this may be prevented by forcing some special
handshake or transport protocol for custom connections...
but then this feature becomes just alternative HTTP + XML RPC that only
offers smaller lag for price of increased complexity and worse
browser/server support. Is it worth it?
--
regards, Kornel Lesinski
Received on Thursday, 26 May 2005 14:38:33 UTC