> > > The basic requirements for a 3d viewer extension (somewhat pulled out of my > > hat, so some people might have different requitements) > > > > *Secure (obviously very important. No one wants xss in a media viewer. This > > also includes other things like not making network fetches on the server > > (this came up in the past with some file formats allowing additional files > > to be referenced by url)) > > I understand XSS but sorry I, din't really get the second part. :( > i'm not all that familar with 3d-stuff so this might not apply, but an example of this issue in 2d world is svg files. They can include external embedded images (ie they can include an instruction saying show image from the following url). We turn svgs into pngs on the server side, but disable that feature as we dont want our webservers making http requests to random sites to retrieve the embedded image. (E.g. someone could upload an svg with the hope it will be rendered a lot, and DOS the server where it embeds the image from).
Hope that clarifies what i meant. -bawolff _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
