[x3d-public] X3D4 security-related field addition: X3DUrlObject refreshTimeLimit

Don Brutzman brutzman at nps.edu
Mon Nov 30 16:54:36 PST 2020 

Editor review today revealed a new potential security issue.

We may need to add a /refreshDuration/ limit to accompany url /refresh/ so that reloading doesn't occur indefinitely.

=========================
9.3.2 X3DUrlObject
https://www.web3d.org/specifications/X3Dv4Draft/ISO-IEC19775-1v4-WD3/Part01/components/networking.html#X3DUrlObject

X3DUrlObject {
   SFString [in,out] description ""
   SFBool   [in,out] load        TRUE
   SFTime   [in,out] refresh     0.0 [0,∞)
   MFString [in,out] url         []  [URI]
}
[...]

The refresh field defines the interval in seconds that are necessary before an automatic reload of the current url asset is performed. If the preceding file loading fails or the load field is FALSE, no refresh is performed. If performed, a refresh attempts to reload the currently loaded entry of the url list. If a refresh fails to reload the currently loaded url entry, the browser retries the other entries in the url list.

WARNING  Automatically reloading content can have security implications and needs to be considered carefully.
=========================

Suggest we add:

   SFTime   [in,out] refreshTimeLimit  600.0  [0,3600.0]

"The refreshTimeLimit field defines the maximum duration in seconds that /refresh/ activity is allowed to occur.  This field is intended to reduce potential risks associated with indefinite repetition of automatic link retrieval. Setting the /load/ field to TRUE resets the refreshTimeLimit clock."

Conceivably X3D browsers may define additional settings for this parameter that require user permissions to override, but that doesn't sound like something for the X3D Specification.

Values of 600 seconds and 3600 seconds correspond to 10 minutes and 1 hour respectively.  Seems reasonable, I hope.

All reactions welcome.

all the best, Don
-- 
Don Brutzman  Naval Postgraduate School, Code USW/Br       brutzman at nps.edu
Watkins 270,  MOVES Institute, Monterey CA 93943-5000 USA   +1.831.656.2149
X3D graphics, virtual worlds, navy robotics http://faculty.nps.edu/brutzman

More information about the x3d-public mailing list