W3C home > Mailing lists > Public > www-svg@w3.org > November 2004

Re: SVG 1.2 Comment: B.2.3 Socket Connections

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Wed, 03 Nov 2004 23:12:51 -0600
Message-ID: <4189BA53.70608@mit.edu>
To: Denis Bohm <denis@fireflydesign.com>
CC: www-svg@w3.org

Denis Bohm wrote:
> actually it's safer because the UA is making
> sure the user is aware of the applications request to connect to another
> computer.

Do you really think users read the "is it ok if ..." alerts an implementation 
would have to pop up to ask for such permission?  As a web browser developer, I 
can tell you that the only way we'd possibly implement a feature like this is by 
allowing it to only connect back to the originating server, most likely with a 
restriction on which ports it can connect to.  Attempts to do anything else 
would result in an exception being thrown, without the user being consulted. 
That's what we do now for many far more restrictive cases (XSLT comes to mind 
here, as do XMLHttpRequest, etc).

In an intranet environment it may be possible to have a looser security policy, 
but we're talking about a standard to be used on the Web here, but Web UAs.

 > So I don't see a problem.  This has already been thought out in
> other contents and the SVG interfaces don't introduce any new issues.

The problem is that given the likely restrictions UAs will have to place on the 
usage of this interface it may well be no more useful than existing 
interfaces... and possibly less useful.

Whether the usefulness is reduced enough is something that is a matter of 
debate, of course.

-Boris
Received on Thursday, 4 November 2004 05:12:55 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 5 February 2014 07:14:52 UTC