On Mon, 28 Sep 2009 18:30:38 +0200, Jonas Sicking <[email protected]> wrote:
I still am of the opinion that we shouldn't send upload progress
events unless a preflight has been done. This is the solution we're
using in Firefox since CORS was implemented in 3.5. If someone is
willing to propose a algorithm for faking progress events in order to
attempt to twart port-scanning then I'd love to bring that to our
security people and see if it's good enough. Until then I don't see
Firefox implementation changing.
Does that answer the question?
No. I thought Ian and Alexey have both given sufficient examples that show
that the extra protection does not add anything which you would then
forward to the security people from Mozilla and give us the outcome. Based
on that and other evaluations we could then decide whether to keep the
requirement in the specification.
--
Anne van Kesteren
http://annevankesteren.nl/
