[x3d-public] X3D minutes 24 April 2020: Cross-origin resource sharing (CORS)

Don Brutzman brutzman at nps.edu
Fri Apr 24 11:47:54 PDT 2020 

1. *Summary*. Today's session focused primarily on Cross-origin resource sharing (CORS).  Numerous references are also included.

We met Friday 24 April 2020 0800-0940 for regular weekly meeting of X3D Working Group.

Attendees: John Carlson, Vince Marchetti, Nicholas Polys, Dick Puk, Anita Havele, Don Brutzman.

[1.1] X3D Graphics Working Group
       https://www.web3d.org/working-groups/x3d

Confirmed that no member-only information is present in these minutes.  Noted that the information here:
- helps members pay full attention to the detailed improvement of X3D4,
- helps community understand and trust the diligence of the process, and
- helps everyone understand that Web3D Consortium offers serious member value!
   https://www.web3d.org/join

Note that all Web3D zoom conference lines are now protected by password.

[1.2] Web3D Teleconference Information
       https://www.web3d.org/member/teleconference-information

Most working group meetings (and connection information) are also visible on the calendar.

[1.3] Web3D Calendar
       https://www.web3d.org/calendar

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2. *Work in Progress*

a. *ISO Publication of HAnim*

Standing by for publication and announcement on web3d.org.  These documents are available to members on github.

Github links:

[2.0] GitHub: Web3D Consortium
       https://github.com/Web3DConsortium

[2.1] GitHub: Web3D Consortium members, HAnim
       https://github.com/Web3DConsortium/HAnim

[2.2] GitHub: Web3D Consortium members, HAnim Specifications combined parts 1 and 2
       https://github.com/Web3DConsortium/HAnim/raw/master/ISO-IEC19774-combined-IS.Web3D.zip

- - - - - -

b. *APIs*.  John and Don are meeting Monday to discuss his voluminous recent work on Node.js, Ecmascript, Java, Python, and other X3D APIs.

We will also look at whether we are closer to aligning X3DJSONLD with X3DJSAIL/X3DPSAIL (X3D Java/Python Scene Authoring Interface Library).

(Curiously to me) we will also discuss his work on VrmlScript, a subset of EcmaScript which was used back in VRML97, and how it might offer insight today as we work deeply with DOM and HTML, X3DOM and X_ITE implementations, etc.  As ever, getting clear on terminology used in these multiple projects is always helpful.

[2.3] https://coderextreme.net/X3DJSONLD

[2.4] https://GitHub.com/pythonSAI (intended for X3DJSAIL-related jars)

- - - - - -

c. *X_ITE update*

X_ITE invocation is changing.  X_ITE is our most advanced implementation of X3D4 that runs inside an HTML browser.

[2.5] X_ITE, have you seen this?
       http://create3000.de/x_ite/getting-started

Holger Seelig reports:
> in the future I will not longer maintain code.create3000.de, because it is more common to host JavaScript files directly on GitHub. That means that the URL's to include X_ITE will change. This step will happen someday next year, so it is enough time to migrate. With this email I would ask you to update the URL's in the web3d.org examples. The new URL's are:
> <link rel="stylesheet" type="text/css" href="https://cdn.jsdelivr.net/gh/create3000/x_ite@latest/dist/x_ite.css"/>
> <script type="text/javascript" src="https://cdn.jsdelivr.net/gh/create3000/x_ite@latest/dist/x_ite.min.js"></script>
> 
> The files are hosted on GitHub and served by jsDelivr CDN which supports access to GitHub.
> 
> Thank you very much for your support,
> Holger

Thank you Holger!

I have updated all 3993 models maintained and linked by Web3D and NPS without any build errors.  Now deployed and available.

[2.6] X3D Resources, Examples: Scene Archives for X3D
       https://www.web3d.org/x3d/content/examples/X3dResources.html#Examples

Example:

[2.7] X_ITE X3D Player Simple X3D model example: Hello World!
       https://x3dgraphics.com/examples/X3dForAdvancedModeling/HelloWorldScenes/index.html
       https://x3dgraphics.com/examples/X3dForAdvancedModeling/HelloWorldScenes/HelloWorldIndex.html
       https://x3dgraphics.com/examples/X3dForAdvancedModeling/HelloWorldScenes/HelloWorldX_ITE.html

HTML produced by X3dToX3dom.xslt stylesheet (with appropriate switches) includes excerpt as follows.

<!-- X_ITE developer site: https://code.create3000.de/x_ite -->
<link rel="stylesheet"
       type="text/css"
       href="https://cdn.jsdelivr.net/gh/create3000/x_ite@latest/dist/x_ite.css"/>
<script type="text/javascript" src="https://cdn.jsdelivr.net/gh/create3000/x_ite@latest/dist/x_ite.min.js"></script>
<script type="text/javascript" src="https://cdn.jsdelivr.net/gh/create3000/x_ite@latest/dist/rigid-body-physics.min.js"></script>

- - - - - -

d. *Other work*

Lots of discussion on X3D Ontology, Python, JavaScript and HAnim examples on list.

Pending: displayBBox followup, will send soon.

Sound component:  Dick and Don are working with Efi and Thanos to follow up on last week's Sound Component progress.  Ongoing.

Dramatic demonstrations on Design Printing Scanning yesterday for converting STEP files to X3D (aka Web Publishing).  A lot to think about...  Collaboration was really interesting and helpful. We are considering how to keep communicating such progress.  It is a big problem/opportunity space, perhaps a "divide and conquer" approach to recording short sessions might help grow # of participants and what we are able to accomplish together.

Re-identified need: X3D ballcaps so we don't have to comb our hair in front of the camera!  =:0

e. *Mantis issues quicklook*

[2.8] Mantis View All Issues
       https://www.web3d.org/member-only/mantis/view_all_bug_page.php

It will likely be preferable to cache Caching large content with visible="false" rather than <Switch whichChoice="-1"> constructs to hide them.  Even more compressible and performant might be

	<StaticGroup>
		<Shape DEF="HideThisCacheBeforeUsing" visible="false">
			<IndexedFaceSet>
				<Coordinate DEF="MonstrousBig"/>
			</IndexedFaceSet>
		</Shape>
	</StaticGroup>
	<!-- later in scene many Shape nodes can selectively reuse <Coordinate USE="MonstrousBig"/> multiple times, only using coordIndex values of interest each time -->

Related, still an open issue: no easy way to DEF/USE large index arrays.  TODO check Mantis for coverage.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2. *CORS*

====================================
[3.0] Cross-origin resource sharing (CORS)
       https://en.wikipedia.org/wiki/Cross-origin_resource_sharing

Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served.[1]

A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos.[2] Certain "cross-domain" requests, notably Ajax requests, are forbidden by default by the same-origin security policy. CORS defines a way in which a browser and server can interact to determine whether it is safe to allow the cross-origin request.[3] It allows for more freedom and functionality than purely same-origin requests, but is more secure than simply allowing all cross-origin requests.

The specification for CORS is included as part of the WHATWG's Fetch Living Standard.[4] This specification describes how CORS is currently implemented in browsers.[5] An earlier specification was published as a W3C Recommendation[6]
====================================

Motivation:
- can authors consistently create X3D content collection that works equivalently in a local system or online, whether standalone X3D Player or within an HTML page.
- our use of address lists in url arrays is different and a bit more powerful than what is possible in HTML.

Publication challenges:
- as a number of our examples show, one model reusing another (Inline, Prototype etc.) is often not allowed within HTML5 due to CORS.
- Impediments to X3D model cross-referencing limit our ability to "scale up" across the Web.
- There is currently a lack of clarity regarding best practice.

Goals:
a. collect key references, especially for various browsers,
b. synopsize challenges and alternatives for portable content,
c. discuss current practices in X_ITE and X3DOM,
d. discuss what changes might be needed (if any) in X3D Examples Archives,
e. identify any related issues,
h. initial assessment regarding whether this should be addressed in X3D4 Architecture specification.
i. not a goal: "solving" or changing requirements from other standards and practices for Web development.

While it might seem that this is just another "implementation detail" for authors to worry about, we need to make sure that we understand this.

[3.0] [x3d-public] X3D minutes 20 MAR 2020: COVID, X3D Ontology, PBR, Xj3D,
       Blender and MeshLab, CollisionCollection, IFS in CADInterchange, CORS
       http://web3d.org/pipermail/x3d-public_web3d.org/2020-March/011913.html

(see section 7, extract follows)
> 7. X_ITE and CORS on local host
> 
> First, for conversions of X3D Example Archives to X_ITE presentation, just fixed encoding mismatch with X_ITE recommendations.
> 
> prior:
> <X3DCanvas url='"BlenderDefaultBox.x3d"'>
> 
> corrected, url changed to src and double-quotes removed:
> 
> <X3DCanvas src='BlenderDefaultBox.x3d'>
> 	<p><b>Display error: X3D model not shown.</b></p>
> 	<p>Your HTML browser does not appear to support all features required by the
> 	<a href="http://create3000.de/x_ite" target="_blank">X_ITE</a> X3D player!</p>
> </X3DCanvas>
> 
> All examples updated and deployed.  This correction works on website, for example
> 
> * https://x3dgraphics.com/examples/X3dForAdvancedModeling/Conversions/BlenderDefaultBoxX_ITE.html
> 
> but dragging local file into browser gets a CORS error, apparently because it is treated as file:///
> 
> Nicholas reports that running on localhost is handled differently because no local web server is present.  His tutorial for IEEE VR has a few slides on this.

request extracting/sharing, please

> Different servers are available for running locally...
> - atom text editor with http extension;
> - python -m SimpleHTTPServer
>    (built in, must run in current directly)
> - others etc.
> 
> Implications: authors deploying HTML/X3D for local usage need to have a localhost http server.
> 
> Seems strange that local files can't run, but this is a long-running decision by browsers.  Good to finally have an idea what the heck is happening!
> 
> We do need to document CORS requirements and this deployment issue better.  Perhaps X3D Scene Authoring Hints or another dedicated page, X3D Deployment Hints perhaps?  Whatever works.  TODO need to expose this knowledge.

Important follow-up response this morning, also copied here:

[3.0] Vince Marchetti, Re: [...] Cross-origin resource sharing (CORS)
       http://web3d.org/mailman/private/x3d_web3d.org/2020-April/007860.html

> There are three ways that understanding the CORS protocol is relevant to X3D providers and users:
> 
> 1. If you are serving X3D files from your web server but want to allow other providers to render your scenes on their web pages, then you must implement the appropriate CORS headers on your webserver. Otherwise, your X3D scene will not be loaded into X3DOM or X-ITE on their webpage. 
> 
> As an example, the web server for https://www.web3d.org does not implement the CORS headers for serving up the X3D examples; as determined by a procedure described at https://stackoverflow.com/questions/12173990/how-can-you-debug-a-cors-request-with-curl (this was checked 7:00 AM EDT 24 Apr 2020 ). The web page https://www.kshell.com/pages/cors_test/index.html shows what happens when I try to load https://www.web3d.org/x3d/content/examples/Basic/Web3dOutreach/Web3dLogo.x3d directly into an X-ITE X3DCanvas; it fails because of CORS policy implemented by the web browser. This failure is only for retrieving the X3D file for use in a cross-origin webpage, it is still possible to directly download that X3D file from a web browser or to retrieve it with a tool like curl
> 
> There is information on how to configure various web servers to allow serving X3D (or other) files for cross-origin requests, at https://enable-cors.org/server.html 
> 
> 2. If you try to load an X3D file on your local file system into a web browser with X-ITE/X3DOM, it will often fail, blaming the failure on CORS policy though its more properly understood as a security policy implemented by the browser restricting usage of local file system. This policy can be configured away on some browsers, but (in some opinions) the better solution is to use a local HTTP server to view local X3D files in X3DOM or X-ITE. One way to set up a quick local HTTP server is with Python, see https://developer.mozilla.org/en-US/docs/Learn/Common_questions/set_up_a_local_testing_server 
> 
> 3. If you are developing an X3D viewer that works outside a mass-market browser, but you are allowing downloading X3D from remote servers, then you should implement the CORS policy for Inline references. It's also true that if for this type of application, downloading remote content that allows scripting, there are many more security vulnerabilities to be protected against.

Notable: all changes for supporting CORS are on the server, not in authored X3D or HTML content.

Summary: we should apply and implement current practices as far as possible to see whether that answers all concerns.  If gaps remain, revisit this topic.  Beyond informational descriptions/references, likely no X3D4 specification changes are necessary.

Next steps:

a. Website policy decision, when ready: configure Apache headers for web3d.org to allow CORS from this server.  For example, unlock retrieval access for full set of published open-source models and assets online at

[3.1] X3D Examples tree
       https://www.web3d.org/x3d/content/examples

b. Specifically, allow CORS requests for files (X3D encodings, and all related media types for imagery, sound, video etc.) in our web3D.org public tree.

c. What sites might we want to consistently configure for CORS:
    web3d.org
    spri.kshell.com (already configured)
    x3dgraphics.com
    savage.nps.edu
    others?

d. Documenting best practices and recommendations for website configuration is good, we already provide MIME type guidance for web servers.  Perhaps a special section or page accompanying

[3.1] X3D Scene Authoring Hints
       https://www.web3d.org/x3d/content/examples/X3dSceneAuthoringHints.html

That page isn't quite apropos, maybe we need a *X3D Server Configuration Recommendations* page?
- CORS
- MIME types (already standardized),
- Node.js
- Juptyer and Zeppelin notebooks for Python,
- Java,
- Configuration supporting other tools and packages,
- anything else?

Interesting authoring opportunity here, might be quite helpful.  Would anybody like to create and establish this page?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Thanks for all inputs and participation, productive and interesting session today.

Next week's topic TBD.  We are doing well on keeping up with our planned progress.

Regardless of origin... have fun with X3D!  8)

all the best, Don
-- 
Don Brutzman  Naval Postgraduate School, Code USW/Br       brutzman at nps.edu
Watkins 270,  MOVES Institute, Monterey CA 93943-5000 USA   +1.831.656.2149
X3D graphics, virtual worlds, navy robotics http://faculty.nps.edu/brutzman

More information about the x3d-public mailing list