[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Public WebGL] WebGLSL Media Type Proposal





----- Original Message -----
> 
> >     (Not to mention the requirement of a local http server, which
> >     most
> >     definitely negatively impacts the pick-up-and-hack capabilities
> >     of
> >     WebGL)
> >
> > You need that anyway in Chrome if you're loading any textures,
> > since it
> > treats them as not same-origin.
> 
> Really? Well, somebody should fix that then, basically. I don't
> believe
> the HTML standard requires documents to be served with HTTP

This isn't about requiring documents to be served by HTTP, this is just about finding a sane definition of same-origin for file:// URLs.

Note that allowing any file:// page to access all the files in the same directory has security implications, as it would be possible for an attacker to induce users into downloading a HTML file and opening it locally.

Benoit


> 
> > Once again, nothing about XHR is specific to HTTP, no more than
> > it's
> > specific to HTTP.  The name is purely legacy.
> 
> > XHR is *not* an HTTP-specific API.  It's perfectly normal practice
> > and
> > completely by design to use it for any URL.
> 
> It has evolved to be that way. Should've been designed for it from
> the
> get-go. I like how nobody thought a platform API might need a way of,
> you know, loading files? :p Then again, hindsight is 20-20.
> 
> > It often won't work for file URLs, but that has nothing to do with
> > XHR;
> > that's a same-origin policy issue which wouldn't be solved by any
> > other
> > API, as it's a lower-level security policy issue.
> 
> Well, so long as these policies stay the same, XHR isn't useful in
> this
> scenario, is my point.
> 
> > No, we don't, because you can already do it with <script>.
> >
> > <script id=foo type=vertex-shader>
> > foo
> > </script>
> > <script>
> > alert(document.getElementById("foo").textContent)
> > </script>
> 
> At one point, somebody expressed, in a manner that sounded quite
> authoritative, that no, we're not meant to do it that way, because a
> GLSL script is not meaningful to the browser in any way. Somebody
> also
> said something about how you can't use this to source scripts from
> other
> files, thus XHR was suggested, but with the above policies, this
> doesn't
> always work.
> 
> Is it encouraged, or is it not?
> 
> Thor
> 
> 
> 
> -----------------------------------------------------------
> You are currently subscribed to public_webgl@khronos.org.
> To unsubscribe, send an email to majordomo@khronos.org with
> the following command in the body of your email:
> unsubscribe public_webgl
> -----------------------------------------------------------
> 
> 

-----------------------------------------------------------
You are currently subscribed to public_webgl@khronos.org.
To unsubscribe, send an email to majordomo@khronos.org with
the following command in the body of your email:
unsubscribe public_webgl
-----------------------------------------------------------