<div><div dir="auto">I’m not sure about defaults. Um. I’m imagining something might cause a refresh. I am thinking of an Xmas display which may run for weeks. While out of scope for below maybe, we should consider running inside a kiosk. Potentially with a poor network connection.</div></div><div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Nov 30, 2020 at 6:55 PM Don Brutzman <<a href="mailto:brutzman@nps.edu" target="_blank">brutzman@nps.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)">Editor review today revealed a new potential security issue.<br>
<br>
We may need to add a /refreshDuration/ limit to accompany url /refresh/ so that reloading doesn't occur indefinitely.<br>
<br>
=========================<br>
9.3.2 X3DUrlObject<br>
<a href="https://www.web3d.org/specifications/X3Dv4Draft/ISO-IEC19775-1v4-WD3/Part01/components/networking.html#X3DUrlObject" rel="noreferrer" target="_blank">https://www.web3d.org/specifications/X3Dv4Draft/ISO-IEC19775-1v4-WD3/Part01/components/networking.html#X3DUrlObject</a><br>
<br>
X3DUrlObject {<br>
SFString [in,out] description ""<br>
SFBool [in,out] load TRUE<br>
SFTime [in,out] refresh 0.0 [0,∞)<br>
MFString [in,out] url [] [URI]<br>
}<br>
[...]<br>
<br>
The refresh field defines the interval in seconds that are necessary before an automatic reload of the current url asset is performed. If the preceding file loading fails or the load field is FALSE, no refresh is performed. If performed, a refresh attempts to reload the currently loaded entry of the url list. If a refresh fails to reload the currently loaded url entry, the browser retries the other entries in the url list.<br>
<br>
WARNING Automatically reloading content can have security implications and needs to be considered carefully.<br>
=========================<br>
<br>
Suggest we add:<br>
<br>
SFTime [in,out] refreshTimeLimit 600.0 [0,3600.0]<br>
<br>
"The refreshTimeLimit field defines the maximum duration in seconds that /refresh/ activity is allowed to occur. This field is intended to reduce potential risks associated with indefinite repetition of automatic link retrieval. Setting the /load/ field to TRUE resets the refreshTimeLimit clock."<br>
<br>
Conceivably X3D browsers may define additional settings for this parameter that require user permissions to override, but that doesn't sound like something for the X3D Specification.<br>
<br>
Values of 600 seconds and 3600 seconds correspond to 10 minutes and 1 hour respectively. Seems reasonable, I hope.<br>
<br>
All reactions welcome.<br>
<br>
all the best, Don<br>
-- <br>
Don Brutzman Naval Postgraduate School, Code USW/Br <a href="mailto:brutzman@nps.edu" target="_blank">brutzman@nps.edu</a><br>
Watkins 270, MOVES Institute, Monterey CA 93943-5000 USA +1.831.656.2149<br>
X3D graphics, virtual worlds, navy robotics <a href="http://faculty.nps.edu/brutzman" rel="noreferrer" target="_blank">http://faculty.nps.edu/brutzman</a><br>
<br>
_______________________________________________<br>
x3d-public mailing list<br>
<a href="mailto:x3d-public@web3d.org" target="_blank">x3d-public@web3d.org</a><br>
<a href="http://web3d.org/mailman/listinfo/x3d-public_web3d.org" rel="noreferrer" target="_blank">http://web3d.org/mailman/listinfo/x3d-public_web3d.org</a><br>
</blockquote></div></div>
</div>