[x3d-public] ... cross-origin scripting errors

Leonard Daly Leonard.Daly at realism.com
Wed Apr 13 14:23:06 PDT 2016


Andreas,

> Leonard,
>
>
>     > (x3dom) ... suggests to uses the http server which comes with
>     python:
>     >
>     > http://doc.x3dom.org/gettingStarted/pythonSimpleHTTP/index.html
>     >
>     > Running a http server (but web browser ?) may be considered a
>     security
>     > hole if outgoing traffic somehow was not considered in security
>     design.
>
>     Please expand on this. Do you mean the simple python server, a
>     full-blown server on local (e.g., Apache), web server on the LAN,
>     or an
>     external web server? There are different security issues in each
>     configuration and the risk goes from minimal to significant.
>
>
> I was trying to make sense of Don's comment on security holes. The 
> simple python server may not be that different from Apache in a 
> security sense. As you say it is all in the configuration and network 
> setup.

Python's SimpleHTTPServer class is not fully functional. It only 
supports GET and HEAD and only files in the current working directory 
(when  started) and below. It does not support POST, PUT.

There also appears to be no support for domain names. Everything is 
referenced by localhost. It is also not meant to stay running. All that 
being said; it still should be run on a port (D=8000) that is blocked by 
a firewall either on the local computer or within the [sub-]network.

Many websites use URL rewriting to change from a "nice" format to 
something easier for software to parse. the Python server does not have 
that capability. It is a real simple get exactly what you request.


General rules:
1) Start it up only when necessary
2) Start it up in the lowest directory that provides access to all 
needed resources
3) Start it up on a port that is blocked by a firewall (8000 usually is)
4) Terminate when work is done


> ..
>
> > It may be possible to package a small local web server, webkit with js
>
>     > engine, and javascript app (cobweb) into a standalone
>     application with
>     > a custom UI which can open local files. But it would be a
>     development
>     > effort and the resulting application may be a larger security risk
>     > than a standard web browser although it would not look like one.
>
>     No, please don't (for anyone here). Too much effort has already gone
>     into the development of web servers, browsers, JS engines, etc. to
>     justify doing this.
>
>
> yep, my point. But I think this is what Don may have looked for.

I suspected you were not going to code one, but I also wanted to 
discourage anyone else from doing it either.


Leonard Daly




>
> Andreas
>
>
> _______________________________________________
> x3d-public mailing list
> x3d-public at web3d.org
> http://web3d.org/mailman/listinfo/x3d-public_web3d.org


-- 
*Leonard Daly*
3D Systems & Cloud Consultant
X3D Co-Chair on Sabbatical
LA ACM SIGGRAPH Chair
President, Daly Realism - /Creating the Future/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://web3d.org/pipermail/x3d-public_web3d.org/attachments/20160413/9cb2deab/attachment.html>


More information about the x3d-public mailing list