Re: SVG 1.2 Comment: B.2.3 Socket Connections

Ian Hickson wrote:
> On Wed, 3 Nov 2004, Peter Sorotokin wrote:
>>Most secure UAs can block these connections (or require user to approve 
>>it for a specific host, verify signatures, etc.). We are not imposing 
>>our security model on UAs, we just outlining baseline expectations.
> 
> The point is that once you've implemented this securely, it becomes less 
> useful than URLRequest, since it can only access HTTP ports, but doesn't 
> do HTTP. It seems bad to have a feature that is only useful if implemented 
> in insecure ways.

Even given a whitelist of ports restricted to 80, 8080, and 443 (which 
is a rather drastic whitelist) it's quite inlikely that one would be 
running an HTTP server on all three *and* unable to change the 8080 
server to another port (it's typical to have a eg a modperl backend 
there but not exposed to the world).

You don't need two zillion ports to make it useful, one is enough.

> If the use case is only for secured networks, then it shouldn't be in a 
> W3C spec (W3C specs being, by definition, designed for the Web).

Which is why it can be used for both.

-- 
Robin Berjon

Received on Thursday, 4 November 2004 11:39:14 UTC