Re: SVG 1.2 Comment: B.2.3 Socket Connections

"Boris Zbarsky" <bzbarsky@MIT.EDU>
> Jim Ley wrote:
>> You always have to block random hosts - Mozilla is currently the only 
>> browser to provide by default (and last I looked non-disablable) access 
>> to non-originating hosts via javascript http requests.
>
> That really needs to be disabled, as it happens

I agree, but Mozilla developers (and presumably their users) do not.

> 1)  Cross-site socket access will need to be disallowed for security
>     reasons

Of course.

> 2)  Access to non-HTTP ports may well need to be disallowed for security
>     reasons.

I don't understand this recommendation, either you only allow back to the 
_SAME_ port, which is pointless, as you say that would need to talk HTTP (or 
have some odd server on the other end that can talk HTTP and other 
protocols, almost certainly too rare a beast to be realistic, and 
complicated by proxies)  or there's little reason to not allow talk back to 
any port.

This is what Flash and Java applets have provided for sometime, without any 
problem I can find with using these functionalities as a vector to attack 
machines.

> 3)  If we limit ourselves to accesing HTTP servers, an API that doesn't
>     force consumers to implement all of HTTP is preferable.

Even if you limit yourself to HTTP ports, you don't limit yourself to HTTP 
servers.  The main use case sockets exist is for time sensitive server 
push - stock tickers, chat, mail announcements etc.  HTTP is not appropriate 
for this, and the solutions we have today layered on top of HTTP are really 
inadequate.

> Which of these statements do you disagree with?

So I disagree with 2 and 3, both seperately and together.

Jim. 

Received on Thursday, 4 November 2004 22:53:03 UTC