[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Public WebGL] WebGLSL Media Type Proposal





----- Original Message -----
> 
> >> Really? Well, somebody should fix that then, basically. I don't
> >> believe the HTML standard requires documents to be served with
> >> HTTP
> 
> > This isn't about requiring documents to be served by HTTP, this is
> > just about finding a sane definition of same-origin for file://
> > URLs.
> 
> Let me break down that jump of thought down into points:
> 
> 1. XMLHttpRequest will usually not work on file:// URLs, and when it
> does, exact same-origin behavior is undefined.
> 
> 2. Thus, you can't work with the assumption that XMLHttpRequest will
> work when documents and resources reside on the local file system.
> 
> 3. Relying on the undefined behavior of a specific implementation is
> typically discouraged. Thus, use of XMLHttpRequest with local
> documents
> and resources is implicitly discouraged.
> 
> 4. I assume that most implementations also leave behavior undefined
> for
> other non-HTTP protocols, so use of these are also implicitly
> discouraged.
> 
> 5. XMLHttpRequest thus implicitly requires documents and resources to
> be
> served via HTTP, as the real-world practical situation is today.
> 
> > Note that allowing any file:// page to access all the files in the
> > same directory has security implications, as it would be possible
> > for an attacker to induce users into downloading a HTML file and
> > opening it locally.
> 
> Yes, and the script could, for instance, sniff your entire desktop.
> And
> then what? If same-origin policies are consistently enforced, there's
> no
> way of sending this data anywhere.

I don't know what "same-origin policies" you are referring to here, but as soon as a script can read a value, it can do absolutely anything it wants with it. JavaScript values don't have an "origin".

Benoit

> 
> I don't know if same-origin policies are strictly enforced for all
> script-originated URLs, but I would imagine that they are. Otherwise,
> simple tricks like embedding data in the query string of the SRC
> attribute of an IMG tag could easily circumvent them.
> 
> Thor
> 
> -----------------------------------------------------------
> You are currently subscribed to public_webgl@khronos.org.
> To unsubscribe, send an email to majordomo@khronos.org with
> the following command in the body of your email:
> unsubscribe public_webgl
> -----------------------------------------------------------
> 
> 

-----------------------------------------------------------
You are currently subscribed to public_webgl@khronos.org.
To unsubscribe, send an email to majordomo@khronos.org with
the following command in the body of your email:
unsubscribe public_webgl
-----------------------------------------------------------