W3C home > Mailing lists > Public > www-svg@w3.org > November 2004

Re: SVG 1.2 Comment: B.2.3 Socket Connections

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Thu, 04 Nov 2004 16:40:58 -0600
Message-ID: <418AAFFA.8010908@mit.edu>
To: Jim Ley <jim@jibbering.com>
CC: www-svg@w3.org

Jim Ley wrote:
> You always have to block random hosts - Mozilla is currently the only 
> browser to provide by default (and last I looked non-disablable) access to 
> non-originating hosts via javascript http requests.

That really needs to be disabled, as it happens (even the write-only 
version that exists now).

> There's no utility problem here  - whilst it makes fun things like IRC 
> clients harder, that's right - what it allows though is server pushed data 
> in an efficient mechanism, I spend an awful lot of my time, and I know of an 
> awful lot of resources that go to streaming data down to a client - the 
> stock ticker being the most obvious use case - currently this is generally 
> implemented with a kept open HTTP connection that gets script written to it 
> occasionally, obviously this is extremely inefficient, knocking out 50% of 
> connections simply to provide a stock price every 5 minutes, is simply 
> inefficient, and something none-of-us put up with, we only want to talk back 
> to the originating server, it's not a problem.

I'm not quite sure what to make of this paragraph (or rampantly run-on 
sentence, as the case may be).  What are you saying, exactly?  Just to 
sum up my point, so that we'll be sure we're on the same page:

1)  Cross-site socket access will need to be disallowed for security
2)  Access to non-HTTP ports may well need to be disallowed for security
3)  If we limit ourselves to accesing HTTP servers, an API that doesn't
     force consumers to implement all of HTTP is preferable.

Which of these statements do you disagree with?

Received on Thursday, 4 November 2004 22:41:04 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 8 March 2017 09:47:01 UTC