W3C home > Mailing lists > Public > www-svg@w3.org > November 2004

Re: SVG 1.2 Comment: B.2.3 Socket Connections

From: Robin Berjon <robin.berjon@expway.fr>
Date: Thu, 04 Nov 2004 12:38:43 +0100
Message-ID: <418A14C3.5030307@expway.fr>
To: Ian Hickson <ian@hixie.ch>
Cc: www-svg@w3.org

Ian Hickson wrote:
> On Wed, 3 Nov 2004, Peter Sorotokin wrote:
>>Most secure UAs can block these connections (or require user to approve 
>>it for a specific host, verify signatures, etc.). We are not imposing 
>>our security model on UAs, we just outlining baseline expectations.
> 
> The point is that once you've implemented this securely, it becomes less 
> useful than URLRequest, since it can only access HTTP ports, but doesn't 
> do HTTP. It seems bad to have a feature that is only useful if implemented 
> in insecure ways.

Even given a whitelist of ports restricted to 80, 8080, and 443 (which 
is a rather drastic whitelist) it's quite inlikely that one would be 
running an HTTP server on all three *and* unable to change the 8080 
server to another port (it's typical to have a eg a modperl backend 
there but not exposed to the world).

You don't need two zillion ports to make it useful, one is enough.

> If the use case is only for secured networks, then it shouldn't be in a 
> W3C spec (W3C specs being, by definition, designed for the Web).

Which is why it can be used for both.

-- 
Robin Berjon
Received on Thursday, 4 November 2004 11:39:14 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 5 February 2014 07:14:52 UTC