On Wed, May 23, 2012 at 6:21 AM, Jason Duell <[email protected]> wrote: > Could you say more about why a simple "connection not available" would > be a security problem, Simon? We already have a code for the special > case of TLS handshake failing: a code that encompasses every other > reason why the connection wasn't made doesn't seem obviously risky to > me (but I'm no security expert)..
The basic idea is to expose as little of cross-origin hosts as possible, because otherwise your intranet can be mapped. That the WebSocket API exposes more than XMLHttpRequest and other network request APIs seems somewhat questionable already. Was that intentional? -- Anne — Opera Software http://annevankesteren.nl/ http://www.opera.com/
