undefined | Better HN

0 pointsgsnedders6y ago0 comments

Timing attacks make it very hard to prevent port/host probing generally, sadly, with the sheer number of things that are observably loaded cross-origin (iframes in that example, but also images, scripts, stylesheets…).

(In the private/loopback IP ranges we should really just make those requests always fail, but I addressed that in another comment as to why that's not trivial.)

0 comments

1 comments · 1 top-level

parliament326y ago

Private and loopback space should really be outside the sandbox, or at least in a permission. I'm happy with mycorp.net accessing 10/8 space, but not ebay.

j / k navigate · click thread line to collapse