[x3d-public] ... cross-origin scripting errors
Leonard Daly
Leonard.Daly at realism.com
Wed Apr 13 11:24:37 PDT 2016
Andreas,
> AFAIK, x3dom also requires running a local web server to access local
> files
Depends on browser. Firefox does not require a web server to use the
file:// protocol. Other browsers do. It is in the browser configuration.
Different browsers have different methods of doing configuration. Check
with the docs for that browser.
Note that this only applies to external resources used by non-HTML
elements. For example you can load scripts, images, CSS, etc. from any
location using <script>, <img>, <link>, respectively. The referenced URL
can change while the HTML page is active. That is all fine. If script
code tries to access an external resource (via AJAX), the browser is
suppose to get permission from the server where the HTML originated
before attempting to make that request. This is to prevent malicious
scripts from getting injected into an HTML page, then requesting (or
sending) data to a 3rd-party server. See pages 9-11 of
http://realism.com/presentations/90?title=Drupal-in-3D%3A-Leveraging-WebGL-and-X3DOM-for-interactive-3D-content-visualization
for a quick description of how to make this work.
> and suggests to uses the http server which comes with python:
>
> http://doc.x3dom.org/gettingStarted/pythonSimpleHTTP/index.html
>
> Running a http server (but web browser ?) may be considered a security
> hole if outgoing traffic somehow was not considered in security design.
Please expand on this. Do you mean the simple python server, a
full-blown server on local (e.g., Apache), web server on the LAN, or an
external web server? There are different security issues in each
configuration and the risk goes from minimal to significant.
> A local http server would still work even if the machine is physically
> disconnected from the network for maximum security.
Unless you really know what you are doing you should only go with the
simple python (or equivalent) server.
>
> It may be possible to package a small local web server, webkit with js
> engine, and javascript app (cobweb) into a standalone application with
> a custom UI which can open local files. But it would be a development
> effort and the resulting application may be a larger security risk
> than a standard web browser although it would not look like one.
No, please don't (for anyone here). Too much effort has already gone
into the development of web servers, browsers, JS engines, etc. to
justify doing this.
--
*Leonard Daly*
3D Systems & Cloud Consultant
X3D Co-Chair on Sabbatical
LA ACM SIGGRAPH Chair
President, Daly Realism - /Creating the Future/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://web3d.org/pipermail/x3d-public_web3d.org/attachments/20160413/b9a46f48/attachment.html>
More information about the x3d-public
mailing list