[x3d-public] browser importDocument SAI service

Don Brutzman brutzman at nps.edu
Mon Oct 24 08:23:56 PDT 2016 

On 10/23/2016 8:18 PM, Leonard Daly wrote:
> On 10/23/2016 2:35 PM, Don Brutzman wrote:
>> On 10/22/2016 8:35 PM, Andreas Plesch wrote:
>>> On Oct 22, 2016 6:27 PM, "Don Brutzman" <brutzman at nps.edu> wrote:
>
>>>> - loading HTML that contains embedded X3D scene
>>>
>>> parsing HTML into a DOM is very available. I am not quite sure what scenario you would have in mind here.
>>
>> something like
>>
>>     http://www.web3d.org/x3d/content/examples/HelloWorldCobweb.html
>> or
>>     http://www.web3d.org/x3d/content/examples/HelloWorldX3dom.xhtml
>>
>> in other words, an HTML document that contains an X3D scene, should we have a utility method that loads the document but strips out any HTML/CSS/etc. and leaves only X3D scene
>
> This is potentially risky because JavaScript can modify or even create the HTML as the file is loading to produce different results. Some HTML frameworks (e.g., React.js) load partial content until the region to be display is nearly visible to the user, then the entire region is loaded. The scene may also contain some vendor-specific scene elements that should not be filtered out.
>
> It is probably much easier (and safer) if you only accept straight X3D than start mandating that the embedded X3D in HTML follow some very specific design constraints.

Security issues are certainly always worth considering.

Any DOM-tree document is subject to prior modification before loading.

Importing a DOM document is not a live self-modifying object at time of import, rather it is simply the string data contained in the DOM element/attribute tree.

If a utility method filters out everything but the X3D-related document subgraph within an HTML document graph, the security issues would seem to be the same as importing an X3D document in the first place.

all the best, Don
-- 
Don Brutzman  Naval Postgraduate School, Code USW/Br       brutzman at nps.edu
Watkins 270,  MOVES Institute, Monterey CA 93943-5000 USA   +1.831.656.2149
X3D graphics, virtual worlds, navy robotics http://faculty.nps.edu/brutzman

More information about the x3d-public mailing list