[x3d-public] X3D4 security-related field addition: X3DUrlObject refreshTimeLimit

John Carlson yottzumm at gmail.com
Mon Nov 30 18:26:38 PST 2020 

I’m not sure about defaults.   Um.  I’m imagining something might cause a
refresh.   I am thinking of an Xmas display which may run for weeks.
While out of scope for below maybe, we should consider running inside a
kiosk.   Potentially with a poor network connection.

On Mon, Nov 30, 2020 at 6:55 PM Don Brutzman <brutzman at nps.edu> wrote:

> Editor review today revealed a new potential security issue.
>
> We may need to add a /refreshDuration/ limit to accompany url /refresh/ so
> that reloading doesn't occur indefinitely.
>
> =========================
> 9.3.2 X3DUrlObject
>
> https://www.web3d.org/specifications/X3Dv4Draft/ISO-IEC19775-1v4-WD3/Part01/components/networking.html#X3DUrlObject
>
> X3DUrlObject {
>    SFString [in,out] description ""
>    SFBool   [in,out] load        TRUE
>    SFTime   [in,out] refresh     0.0 [0,∞)
>    MFString [in,out] url         []  [URI]
> }
> [...]
>
> The refresh field defines the interval in seconds that are necessary
> before an automatic reload of the current url asset is performed. If the
> preceding file loading fails or the load field is FALSE, no refresh is
> performed. If performed, a refresh attempts to reload the currently loaded
> entry of the url list. If a refresh fails to reload the currently loaded
> url entry, the browser retries the other entries in the url list.
>
> WARNING  Automatically reloading content can have security implications
> and needs to be considered carefully.
> =========================
>
> Suggest we add:
>
>    SFTime   [in,out] refreshTimeLimit  600.0  [0,3600.0]
>
> "The refreshTimeLimit field defines the maximum duration in seconds that
> /refresh/ activity is allowed to occur.  This field is intended to reduce
> potential risks associated with indefinite repetition of automatic link
> retrieval. Setting the /load/ field to TRUE resets the refreshTimeLimit
> clock."
>
> Conceivably X3D browsers may define additional settings for this parameter
> that require user permissions to override, but that doesn't sound like
> something for the X3D Specification.
>
> Values of 600 seconds and 3600 seconds correspond to 10 minutes and 1 hour
> respectively.  Seems reasonable, I hope.
>
> All reactions welcome.
>
> all the best, Don
> --
> Don Brutzman  Naval Postgraduate School, Code USW/Br
> brutzman at nps.edu
> Watkins 270,  MOVES Institute, Monterey CA 93943-5000 USA   +1.831.656.2149
> X3D graphics, virtual worlds, navy robotics
> http://faculty.nps.edu/brutzman
>
> _______________________________________________
> x3d-public mailing list
> x3d-public at web3d.org
> http://web3d.org/mailman/listinfo/x3d-public_web3d.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://web3d.org/pipermail/x3d-public_web3d.org/attachments/20201130/c3241707/attachment.html>

More information about the x3d-public mailing list