System.download [was ...]

Jason Orendorff jason.orendorff at gmail.com
Fri Jul 13 02:39:26 PDT 2012


On Fri, Jul 13, 2012 at 3:39 AM, Aymeric Vitte <vitteaymeric at gmail.com> wrote:
> But coming back to my point, I am not talking about a download like a xhr
> where you can set cookies, do post requests, etc, just a download that fetch
> the source, so I don't see it more dangerous than script or img fetching (or
> System.load) for example.

It's the difference between exposing every image on your intranet to
any random web page that asks for it, and exposing all data on your
intranet to any random web page that asks for it. Any web page could
start by fetching "http://intranet/" and follow the links from there.
This kind of comprehensive spidering of an organization's internal
data is obviously not possible with <img>.

This is basic browser security stuff.  I strongly suggest reading up
before posting anything more on this topic.

-j


More information about the es-discuss mailing list