- From: Robin Berjon <robin.berjon@expway.fr>
- Date: Thu, 04 Nov 2004 12:38:43 +0100
- To: Ian Hickson <ian@hixie.ch>
- Cc: www-svg@w3.org
Ian Hickson wrote: > On Wed, 3 Nov 2004, Peter Sorotokin wrote: >>Most secure UAs can block these connections (or require user to approve >>it for a specific host, verify signatures, etc.). We are not imposing >>our security model on UAs, we just outlining baseline expectations. > > The point is that once you've implemented this securely, it becomes less > useful than URLRequest, since it can only access HTTP ports, but doesn't > do HTTP. It seems bad to have a feature that is only useful if implemented > in insecure ways. Even given a whitelist of ports restricted to 80, 8080, and 443 (which is a rather drastic whitelist) it's quite inlikely that one would be running an HTTP server on all three *and* unable to change the 8080 server to another port (it's typical to have a eg a modperl backend there but not exposed to the world). You don't need two zillion ports to make it useful, one is enough. > If the use case is only for secured networks, then it shouldn't be in a > W3C spec (W3C specs being, by definition, designed for the Web). Which is why it can be used for both. -- Robin Berjon
Received on Thursday, 4 November 2004 11:39:14 UTC