[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Public WebGL] WebGLSL Media Type Proposal




Really? Well, somebody should fix that then, basically. I don't
believe the HTML standard requires documents to be served with
HTTP

This isn't about requiring documents to be served by HTTP, this is just about finding a sane definition of same-origin for file:// URLs.

Let me break down that jump of thought down into points:

1. XMLHttpRequest will usually not work on file:// URLs, and when it does, exact same-origin behavior is undefined.

2. Thus, you can't work with the assumption that XMLHttpRequest will work when documents and resources reside on the local file system.

3. Relying on the undefined behavior of a specific implementation is typically discouraged. Thus, use of XMLHttpRequest with local documents and resources is implicitly discouraged.

4. I assume that most implementations also leave behavior undefined for other non-HTTP protocols, so use of these are also implicitly discouraged.

5. XMLHttpRequest thus implicitly requires documents and resources to be served via HTTP, as the real-world practical situation is today.

Note that allowing any file:// page to access all the files in the same directory has security implications, as it would be possible for an attacker to induce users into downloading a HTML file and opening it locally.

Yes, and the script could, for instance, sniff your entire desktop. And then what? If same-origin policies are consistently enforced, there's no way of sending this data anywhere.


I don't know if same-origin policies are strictly enforced for all script-originated URLs, but I would imagine that they are. Otherwise, simple tricks like embedding data in the query string of the SRC attribute of an IMG tag could easily circumvent them.

Thor

-----------------------------------------------------------
You are currently subscribed to public_webgl@khronos.org.
To unsubscribe, send an email to majordomo@khronos.org with
the following command in the body of your email:
unsubscribe public_webgl
-----------------------------------------------------------