- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Thu, 04 Nov 2004 16:40:58 -0600
- To: Jim Ley <jim@jibbering.com>
- CC: www-svg@w3.org
Jim Ley wrote: > You always have to block random hosts - Mozilla is currently the only > browser to provide by default (and last I looked non-disablable) access to > non-originating hosts via javascript http requests. That really needs to be disabled, as it happens (even the write-only version that exists now). > There's no utility problem here - whilst it makes fun things like IRC > clients harder, that's right - what it allows though is server pushed data > in an efficient mechanism, I spend an awful lot of my time, and I know of an > awful lot of resources that go to streaming data down to a client - the > stock ticker being the most obvious use case - currently this is generally > implemented with a kept open HTTP connection that gets script written to it > occasionally, obviously this is extremely inefficient, knocking out 50% of > connections simply to provide a stock price every 5 minutes, is simply > inefficient, and something none-of-us put up with, we only want to talk back > to the originating server, it's not a problem. I'm not quite sure what to make of this paragraph (or rampantly run-on sentence, as the case may be). What are you saying, exactly? Just to sum up my point, so that we'll be sure we're on the same page: 1) Cross-site socket access will need to be disallowed for security reasons 2) Access to non-HTTP ports may well need to be disallowed for security reasons. 3) If we limit ourselves to accesing HTTP servers, an API that doesn't force consumers to implement all of HTTP is preferable. Which of these statements do you disagree with? -Boris
Received on Thursday, 4 November 2004 22:41:04 UTC