Re: SVG 1.2 Comment: B.2.3 Socket Connections

"Boris Zbarsky" <bzbarsky@MIT.EDU> wrote in message 
news:418A80D9.6000906@mit.edu...

> Of course. You have to block both access to random ports and access to any 
> host but the originating one...

You always have to block random hosts - Mozilla is currently the only 
browser to provide by default (and last I looked non-disablable) access to 
non-originating hosts via javascript http requests.  That is a much larger 
security problem than accessing ports other than the originating one on the 
same host.  Something that other user agents more than deal with.

> Which radically reduces utility,  unfortunately  :(.

There's no utility problem here  - whilst it makes fun things like IRC 
clients harder, that's right - what it allows though is server pushed data 
in an efficient mechanism, I spend an awful lot of my time, and I know of an 
awful lot of resources that go to streaming data down to a client - the 
stock ticker being the most obvious use case - currently this is generally 
implemented with a kept open HTTP connection that gets script written to it 
occasionally, obviously this is extremely inefficient, knocking out 50% of 
connections simply to provide a stock price every 5 minutes, is simply 
inefficient, and something none-of-us put up with, we only want to talk back 
to the originating server, it's not a problem.

Jim. 

Received on Thursday, 4 November 2004 21:39:22 UTC