[X3D-Public] HTML5 Web3D Working Group January 5 2010

John Carlson john.carlson3 at sbcglobal.net
Tue Jan 12 21:12:44 PST 2010


On Jan 12, 2010, at 6:48 AM, John A. Stewart wrote:

> X3D-Public mailing list members - here are the finalized minutes for the January 5 2010 meeting.
> 
> 
> 11) Javascript and DOM security.
> 
> January 5 2010:
> 
> John Carlson wrote an email questioning DOM and X3D integration. see:
> 
> http://www.web3d.org/pipermail/x3d-public_web3d.org/2010-January/000575.html
> 
> 
> Len: Maybe this is a problem with javascript security? should not be able to go cross-domain in Javascript. If so, this is not an X3D problem, but a Javascript issue.
> 
> John - a design problem with javascript, or an implementation problem?
> 
> Len - Javascript - design problem; the net changed the way javascript is used. General community of content - some of which may be hostile to other content.
> 
> Don - wants to read and study more.
> 
> Don  - creating a new bullet in wiki about this.
> 
> Don - do not have a general security issue section concerning X3D in general.
I think there are tools coming out, which a few sites use (yahoo for one), that help with javascript security.   They essentially rewrite the javascript to make it more secure.  I think the goal was to allow mashups on the same page by rewriting the javascript.

 I believe the problem with the JavaScript DOM is once you have any DOM node, you can traverse (especially) up and down the DOM using standard tools (getElementById() and friends).  If you can traverse the DOM, I would think that you change functions etc.   But that's javascript, changing the functions. My concern is that some of the DOM nodes (if not all) have a reference to their parent, so I would think if you gave a javascript function a low level node, it could track up the DOM, following the parents.  Thus there is no real information hiding (at least in the same domain) in the DOM.  I know it's useful, but use of the parent method/node is problematic when doing mashups.  Perhaps the javascript rewriting tools can address the parent issue (and it may).

I realize there's similarity between the DOM and the filesystem.  Perhaps full access is not a good idea, and one should only grant to a JavaScript function the nodes that it needs.

John


More information about the X3D-Public mailing list