W3C home > Mailing lists > Public > www-svg@w3.org > August 2003

SVG1.2 and network sockets was: SVG1.2 and web applications

From: Fred P. <fprog26@hotmail.com>
Date: Mon, 18 Aug 2003 11:24:40 -0400
To: www-svg@w3.org
Message-ID: <BAY2-F14757OHFE8Pvs0002f4c7@hotmail.com>

Network thread discussion merged:
---------------------------------

Randy> == Randy Nonay  <randy.nonay *at* net-linx.com>
Jim>   == Jim Ley      <jim *at* jibbering.com>
Robin> == Robin Berjon <robin.berjon *at* expway.fr>


Randy> The single biggest hurdle to this idea is that the very technology 
required to
Randy> make it happen (the ability to use the network interfaces in 1.2) 
will also make
Randy> it unsafe to use.  Just imagine a cross-platform capable MS Outlook. 
Throw in
Randy> the ability to make RPC and you have a very nice delivery mechanism 
for
Randy> virus/trojans/worms... and they won't target just MS platforms, but 
anything
Randy> using the svg functionality.
Randy>
Randy>   There must be very strict control over what is allowed via this 
type of
Randy> interface or it will single handedly kill svg...
Randy>
Randy>   Randy


I agree with you on such point,
you don't want to create a new trend of virus/trojan/worm
to be EMCAscript/JavaScript based instead of VBA scripts!
Don't redo Microsoft Designer mistakes! =)

Thanks for reminding us and being the watchdog of such awful design 
mistakes! =P

I don't want my name to be associated with such idea! =)  No thanks!
[ 5 years later:  Who suggested that SVG have network sockets and led to 
1000 worms being spread on the net?  ahhhhhh!!! ]

I was more looking for an efficient solution,
XML-RPC and SOAP support are good enough for me.

Jim> > Maybe a Socket Interface to TCP/UDP sockets?
Jim> I think Sockets are the only sensible (in addition to beefed up
Jim> getURL/postURL), then we can build our own solutions to any format we 
want.

Jim> > Maybe all this can be done via XML-RPC or SOAP support?

Jim> No!, we need sockets, and definately do not want to be limited to XML
Jim> solutions.

What about an SSH interface?
Would that be targetted as safe or unsafe?

Therefore, keeping the secure transfer thing
and allowing people to write their own non-XML protocol.

Anyway, does someone really want to create their own protocol over SSH in 
JavaScript ???
It seems a major case of JavaScript abuse/torture to me, isn't it !?

Robin>> Network interface would be nice
Robin>> (simple like Perl FTP, IRC, HTTP CPAN modules)
Robin>> Maybe a Socket Interface to TCP/UDP sockets?

Robin> If we provided the minimum TCP/UDP interface and users had to build 
their own
Robin> protocols on top of it, would you be satisfied?

That would be too low level for me at least =)
Implementing FTP in C/C++ is quite something, doing it in JavaScript ?!? Are 
you serious!

Robin> Have you given thought to the security model?

Security on the data such as encryption (SSL) depends on the application 
mostly.
Security as of the network interface that's a major issue that can't be 
ignored, as Randy put it.

Robin> If it worked along the lines of "for each connection to a new
Robin> address:port combination, prompt the user to accept the connection 
(with the
Robin> option to accept connections to that address:port combination every 
time)" would
Robin> it be a problem? Not secure enough? Too obtrusive?

That would be a really awful way of dealing with the problem.
Like Randy says, I don't want a user to be prompt 2000 times by a 
SVG/JavaScript connection hook
inside an HTML document with embedded SVG to force him to connect to 
something he really don't want,
like some damn ActiveX webpage that do all sorts of nasty thing.

Talking to a Server via SOAP/XML-RPC looks more natural.
Worst case scenario the actual FTP/SFTP/SSH/IRC/NNTP/POP3/SMTP connection
is provided by the SERVER not the USER,
that would close the security issue, I think.
Since the SERVER could ensure that only some already known connection are 
allowed,
unless it is badly written, but then the blame would be
on the SERVER not SVG itself for being insecure.

It would be also easier to have a real implementation on the SERVER
in Java, Perl, Python, C/C++ or similar, than some primitive JavaScript.


Sincerely yours,
Fred.

_________________________________________________________________
Tired of spam? Get advanced junk mail protection with MSN 8.  
http://join.msn.com/?page=features/junkmail
Received on Monday, 18 August 2003 11:24:48 GMT

This archive was generated by hypermail 2.3.1 : Friday, 8 March 2013 15:54:25 GMT