- From: Fred P. <fprog26@hotmail.com>
- Date: Mon, 18 Aug 2003 11:24:40 -0400
- To: www-svg@w3.org
Network thread discussion merged: --------------------------------- Randy> == Randy Nonay <randy.nonay *at* net-linx.com> Jim> == Jim Ley <jim *at* jibbering.com> Robin> == Robin Berjon <robin.berjon *at* expway.fr> Randy> The single biggest hurdle to this idea is that the very technology required to Randy> make it happen (the ability to use the network interfaces in 1.2) will also make Randy> it unsafe to use. Just imagine a cross-platform capable MS Outlook. Throw in Randy> the ability to make RPC and you have a very nice delivery mechanism for Randy> virus/trojans/worms... and they won't target just MS platforms, but anything Randy> using the svg functionality. Randy> Randy> There must be very strict control over what is allowed via this type of Randy> interface or it will single handedly kill svg... Randy> Randy> Randy I agree with you on such point, you don't want to create a new trend of virus/trojan/worm to be EMCAscript/JavaScript based instead of VBA scripts! Don't redo Microsoft Designer mistakes! =) Thanks for reminding us and being the watchdog of such awful design mistakes! =P I don't want my name to be associated with such idea! =) No thanks! [ 5 years later: Who suggested that SVG have network sockets and led to 1000 worms being spread on the net? ahhhhhh!!! ] I was more looking for an efficient solution, XML-RPC and SOAP support are good enough for me. Jim> > Maybe a Socket Interface to TCP/UDP sockets? Jim> I think Sockets are the only sensible (in addition to beefed up Jim> getURL/postURL), then we can build our own solutions to any format we want. Jim> > Maybe all this can be done via XML-RPC or SOAP support? Jim> No!, we need sockets, and definately do not want to be limited to XML Jim> solutions. What about an SSH interface? Would that be targetted as safe or unsafe? Therefore, keeping the secure transfer thing and allowing people to write their own non-XML protocol. Anyway, does someone really want to create their own protocol over SSH in JavaScript ??? It seems a major case of JavaScript abuse/torture to me, isn't it !? Robin>> Network interface would be nice Robin>> (simple like Perl FTP, IRC, HTTP CPAN modules) Robin>> Maybe a Socket Interface to TCP/UDP sockets? Robin> If we provided the minimum TCP/UDP interface and users had to build their own Robin> protocols on top of it, would you be satisfied? That would be too low level for me at least =) Implementing FTP in C/C++ is quite something, doing it in JavaScript ?!? Are you serious! Robin> Have you given thought to the security model? Security on the data such as encryption (SSL) depends on the application mostly. Security as of the network interface that's a major issue that can't be ignored, as Randy put it. Robin> If it worked along the lines of "for each connection to a new Robin> address:port combination, prompt the user to accept the connection (with the Robin> option to accept connections to that address:port combination every time)" would Robin> it be a problem? Not secure enough? Too obtrusive? That would be a really awful way of dealing with the problem. Like Randy says, I don't want a user to be prompt 2000 times by a SVG/JavaScript connection hook inside an HTML document with embedded SVG to force him to connect to something he really don't want, like some damn ActiveX webpage that do all sorts of nasty thing. Talking to a Server via SOAP/XML-RPC looks more natural. Worst case scenario the actual FTP/SFTP/SSH/IRC/NNTP/POP3/SMTP connection is provided by the SERVER not the USER, that would close the security issue, I think. Since the SERVER could ensure that only some already known connection are allowed, unless it is badly written, but then the blame would be on the SERVER not SVG itself for being insecure. It would be also easier to have a real implementation on the SERVER in Java, Perl, Python, C/C++ or similar, than some primitive JavaScript. Sincerely yours, Fred. _________________________________________________________________ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail
Received on Monday, 18 August 2003 11:24:48 UTC