Re: SVG 1.2 Comment: B.2.3 Socket Connections

>"Boris Zbarsky" <bzbarsky@MIT.EDU>
>> Jim Ley wrote:
>>> You always have to block random hosts - Mozilla is currently the only 
>>> browser to provide by default (and last I looked non-disablable) 
access 
>>> to non-originating hosts via javascript http requests.
>>
>> Were you referring to someother piece of javascript HTTP request 
>> functionality?
>
>Yep, the SOAP implementation:
>
>http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2004-July/001495.html
>
>Jim. 

Actually, it is possible in pretty much any modern browser to communicate 
with an non-originating host, using pure W3C standards and JavaScript. 
<html:script /> tags can reference JavaScript files from any domain, and 
the included script is executed as if it came from the originating host.

So, using basic DOM operations, JavaScript can dynamically create new 
<script> elements, set the 'src' attribute to any domain, passing through 
data via the URL, and adding it to the DOM.  By appending to the DOM, the 
URL gets loaded and the server can send over new data embedding in the 
loaded JavaScript.

So when back at Netscape we added SOAP and WSDL functionality to Mozilla, 
allowing cross domain communication was not an issue, since its already 
doable.  The only reason we implemented our web services security model 
(where the web service host has to explicitly say what domains can access 
it) was for intranet security - there are open web services inside 
intranets today, and if somehow someone outside knew the URl for it, and 
managed to get someone inside the firewall to access his webpage, that 
person would have been able to communicate with the intranet web service 
using the browser.  Macromedia Flash implemented a similar model as well 
for its SOAP capabilities.

Doron Rosenberg
Browser Technology Center (Austin)
IBM Emerging Technologies

doronr@us.ibm.com | 1-512-838-9293