[x3d-public] Simplifying ProtoInstance nodes; spec security precaution
John Carlson
yottzumm at gmail.com
Mon May 12 18:39:39 PDT 2025
I have mentioned creating additional Schema on the fly from parsing
ProtoDeclares, then attaching that to the Schema DOM or JavaScript object
(Ajv, a JSON schema validator, has an addSchema() function). I’m kind of
leaving it up to XML schema folks to find such schema tools for XSD DOM.
I’m no expert on XSD. Really any on the fly modification of XML Schema is
up to languages and libraries, AFAIK, XML schema on its own is not
extensible. Big fail, but good for security.
One might look into SGML and SGML schema to see if there’s anything there
which could be incorporated into a future XML, DOM or XML schema
standards. My guess is they include such a thing, or possible proposals
were rejected.
It certainly is a long way to look back, probably to pre-web days. Just a
few old timers around. I have included Solveig in this conversation to see
her/his insights.
I hope he/she responds.
I didn’t realize ExternProtoDeclare url reload was a security error.
Thanks for heads up. All the more reason not to use my prototype
PrototypeExpander. Oops! It was a confused mess. Luckily, I don’t recall
checking it into X_ITE or X3DOM. If anyone else did, that’s on them! I
had the sense enough not to even propose it be included!
It still is in X3DJSONLD, perhaps on some HTML pages, but the main
index.html shouldn’t use actually use my PrototypeExpander, even though
it’s included here:
https://github.com/coderextreme/X3DJSONLD/blob/master/src/main/html/index.html
Filing bug reports is welcome, AFAIK, I’ve not received any except my own:
https://github.com/coderextreme/X3DJSONLD/issues
I’ll take steps to formally remove the ProtoExpander from X3DJSONLD. I
will also create an X3DOM page there for testing Protos, which I should
have done ages ago.
But I’d love to bring back parallel views of X3DOM, X_ITE and Castle Model
Viewer-Web if everyone is copacetic (in agreement).
John
On Mon, May 12, 2025 at 6:55 PM Brutzman, Donald (Don) (CIV) via x3d-public
<x3d-public at web3d.org> wrote:
> Glad we are making sense here.
As far as the specification goes, the farthest ISO/IEC 19775-1 X3D
Architecture would state is noting
- The X3D model is in error,
- This is a security consideration.
The specification rarely goes beyond that in order to avoid unintended
burdens on browsing and tools, risking the creation of non-compliant
situations. We are not trying to standardize handling of warnings, errors,
and edge cases since that is intimately related to application-software
design.
>
> Meanwhile, each of the following steps you've listed make excellent sense
> as responses to be considered by browsers and other (often validating)
> tools.
>
> I do not see a way to build in such checks in X3D XML Schema. I do see a
> way to detect such errors in X3D-Edit, X3D Schematron, X3DJSAIL, x3d.py
> X3DPSAIL, etc.
>
> May I suggest that users deserve special notice of security-related
> violations, they are not simple errors and are indicative of content
> trustworthiness (and ill intent). Fair warning seems necessary to maintain
> user trust.
>
> Such warnings and precautions are sprinkled throughout X3D Tooltips. More
> are always welcome.
>
>
> - X3D Tooltips
> - https://www.web3d.org/x3d/tooltips/X3dTooltips.html
> - 32 occurrences (so far): "*Warning*: automatically reloading content
> has security considerations and needs to be considered carefully."
> - ... Now 34, I just added a relevant recursion warnings under Inline
> url and ExternProtoDeclare url.
> - "Warning: direct or indirect recursion by Inline and/or
> ExternProtoDeclare url reloading is a security error."
> - TODO: update and deploying the tooltips is delayed due to a separate
> problem.
>
>
> If it is considered to have potential value, I could see us trying to
> write an informative annex Security Considerations in X3D 4.1.
> Alternatively, such specification prose might go in a section on Security
> Considerations that gets considered for each file encoding and
> programming-language binding. However it is difficult to see how this
> might be done concisely.
>
> Probably best for now is put any general non-specification guidance
> somewhere information, such as X3D Scene Authoring Hints or the resources
> listed in
>
>
> - X3D Resources: Security
> -
> https://www.web3dconsortium.org/x3d/content/X3dResources.html#Security
>
>
> Onward we go, carefully...
>
>
> all the best, Don
>
> --
>
> Don Brutzman Naval Postgraduate School, Code USW/Br
> brutzman at nps.edu
>
> Watkins 270, MOVES Institute, Monterey CA 93943-5000 USA
> +1.831.656.2149
>
> X3D graphics, virtual worlds, navy robotics
> https://faculty.nps.edu/brutzman
>
>
>
> ------------------------------
> *From:* x3d-public on behalf of Andreas Plesch via x3d-public
> *Sent:* Monday, May 12, 2025 9:47 AM
> *To:* X3D Graphics public mailing list
> *Cc:* Andreas Plesch
>
> *Subject:* Re: [x3d-public] Simplifying ProtoInstance nodes; spec
> security precaution
>
> Good point, trying to overload/redefine existing nodes should be
> considered on a different level than undefined behaviour for rendering or
> interactions.
>
> What are the implications of the spec. deeming this an error ?
>
> - the document becomes invalid X3D ?
> - a conforming browser should/must recognize the conflict and do something
> appropriate, eg. warn and halt, or warn and ignore proto declaration, or
> just warn ?
> - what else ?
>
> -Andreas
>
>
> Date: Mon, 12 May 2025 04:36:26 +0000
> From: "Brutzman, Donald (Don) (CIV)" <brutzman at nps.edu>
> To: Holger Seelig <holger.seelig at yahoo.de>, X3D <x3d-public at web3d.org>
> Subject: Re: [x3d-public] Simplifying ProtoInstance nodes; spec
> security precaution
> Message-ID:
> <
> BY3PR13MB4884EC77F3E676D12B70AED3C497A at BY3PR13MB4884.namprd13.prod.outlook.com
> >
>
> Content-Type: text/plain; charset="utf-8"
>
> I found the specification prose mentioning re-definition of existing
> nodes. Important problem to catch in implementations!
>
>
> *
> X3D Architecture, v4.1 draft, Clause 4 Concepts, 4.4.4 Prototype
> semantics, 4.4.4.1 Introduction
> *
>
> https://www.web3d.org/specifications/X3Dv4Draft/ISO-IEC19775-1v4.1-CD//Part01/concepts.html#PrototypeSemanticsIntro
> *
> "Node type names shall be unique in each X3D file. The results are
> undefined if a prototype is given the same name as a built-in node type or
> a previously defined prototype in the same scope."
>
> I also found the following related security precaution, introduced in X3D
> 4.0:
>
>
> *
> X3D Architecture, v4.1 draft, Clause 4 Concepts, 4.4.4.3 PROTO definition
> semantics
> *
>
> https://www.web3d.org/specifications/X3Dv4Draft/ISO-IEC19775-1v4.1-CD//Part01/concepts.html#PrototypeSemantics
> *
> "Security precaution: it is an error for a prototype to reference an
> instance or repeated declaration of itself, directly or indirectly, in
> order to avoid nonterminating recursion loops. This error might occur with
> either local or external (PROTO or EXTERNPROTO) declarations. X3D browsers
> shall not honor self-referential loading of prototype declaration loops in
> order to avoid security vulnerabilities."
>
> Along those lines, it is easy to imagine all sorts of mischief if a
> prototype overloads a given node in the specification. For example,
> creating a new Transform prototype that is actually a Box then breaks all
> other regular Transform nodes.
>
> As a result, I now think we should not allow overloading an existing node
> name, since it is a security problem. Saying that results are undefined is
> unacceptably weak.
>
> Something else to remain cognizant of: during X3D evolution, we often
> prototype proposed new nodes to test their proposed functionality.
> Further, if the node is eventually accepted, then existence of the
> prototype provides helpful backwards compatibility for earlier versions of
> the X3D standard.
>
> Suggested spec change in 4.4.4.1 Introduction of X3D Architecture, thus
> applying to all X3D file encodings and programming-language bindings:
>
>
> *
> "Security precaution: it is an error for a prototype to rename a built-in
> node type that is already defined in the X3D version referenced by an X3D
> model."
> *
> "The results are undefined if a prototype is given the same name as a
> built-in node type or a previously defined prototype in the same scope."
>
> *
> TODO: consider including an example that renames Transform using a
> prototype declaration for a Box, specifically saying it is not allowed.
> This is similar to your example Holger, but more egregious and damaging to
> the model.
> *
> EXAMPLE PROTO Transform [] { Box {} } # specifically disallowed
>
> As ever, comments welcome. Dick and I will also consider this situation
> when creating the Mantis issues and specification prose improvements.
>
> Have fun with secure X3D...
>
>
> all the best, Don
>
> --
>
> Don Brutzman Naval Postgraduate School, Code USW/Br
> brutzman at nps.edu
>
> Watkins 270, MOVES Institute, Monterey CA 93943-5000 USA
> +1.831.656.2149
>
> X3D graphics, virtual worlds, navy robotics
> https://faculty.nps.edu/brutzman
>
>
>
> ________________________________
> From: Holger Seelig
> Sent: Saturday, May 10, 2025 12:37 PM
> To: X3D
> Cc: Michalis Kamburelis; Brutzman, Donald (Don) (CIV)
> Subject: Re: [x3d-public] Simplifying ProtoInstance nodes
>
> There is another drawback which already exist in VRML encoding. What take
> precedence if a PROTO is named as a build-in node. Consider a PROTO named
> Box with a Sphere as root node. What is happening if a Box is now
> instantiated?
>
> PROTO Box []
> {
> Sphere {}
> }
>
> Shape {
> Box {}
> }
>
> This behaviour is not handled by the specification, but X_ITE does the
> following: build-in nodes will take precedence over over PROTO nodes, it
> will still display a Box node. Don?t know what Caste or X3DOM does. With
> current XML encoding this is very cleared and there is no prob at all. But
> in VRML encoding or with XML ?short syntax? this may be worth a spec
> comment.
>
> Best regards,
> Holger
>
> --
> Holger Seelig
> Leipzig, Germany
>
> holger.seelig at yahoo.de
> https://create3000.github.io/x_ite/
> https://patreon.com/X_ITE
>
>
>
> Am 10.05.2025 um 20:44 schrieb Brutzman, Donald (Don) (CIV) via x3d-public
> <x3d-public at web3d.org>:
>
> +1 on all counts, thanks for thoughtful consideration Michalis.
>
> Further considerations are always welcome.
>
> Next week Dick and I will review comments, then consider a Mantis issue
> and draft prose addition to X3D XML Encoding.
>
> all the best, Don
> --
> Don Brutzman Naval Postgraduate School, Code USW/Br
> brutzman at nps.edu<mailto:brutzman at nps.edu>
> Watkins 270, MOVES Institute, Monterey CA 93943-5000 USA
> +1.831.656.2149
> X3D graphics, virtual worlds, navy robotics
> https://faculty.nps.edu/brutzman
>
>
>
> ________________________________
> From: Michalis Kamburelis
> Sent: Saturday, May 10, 2025 11:38 AM
> To: Extensible 3D (X3D) Graphics public discussion
> Cc: Brutzman, Donald (Don) (CIV)
> Subject: Re: [x3d-public] Simplifying ProtoInstance nodes
>
> I think this short form (in XML encoding) makes sense, and Castle Game
> Engine / Castle Model Viewer could support it too.
>
> It makes XML encoding and classic encoding more consistent: you can use
> PROTO to define a new node, and then use the new node with the same syntax
> as "built-in nodes". This is already true for classic encoding, it's nice
> to bring this feature to XML encoding.
>
> Don has already expressed the important drawback of this "short form":
> such XML will not validate. I mean, it will validate in X3D-specific tools
> like "castle-model-converter --validate .." (once we add support for it),
> but the general XML validation using XML Schema has no way of validating
> it. You cannot tell in XML schema "this XML element name is valid, if
> defined by some XML attribute elsewhere". I'm guessing this was the whole
> reason why ProtoInstance, fieldValue etc. were invented in XML encoding.
>
> I'm guessing in JSON X3D encoding, the consideration will be similar: it
> can be implemented, but the resulting file will not validate with JSON
> schema ( https://json-schema.org/ ).
>
> Anyhow, if we're all fine with accepting this drawback, then we sure can
> go ahead and add it to spec :) As long as "long form" remains available,
> and thus tools like XML schema and JSON schema remain useful, I think it
> makes sense to have this choice.
>
> Regards,
> Michalis
>
> sob., 10 maj 2025 o 18:38 Brutzman, Donald (Don) (CIV) via x3d-public <
> x3d-public at web3d.org<mailto:x3d-public at web3d.org>> napisa?(a):
> Thanks for the interesting, innovative discussion. Excerpting the example:
>
>
> *
>
> https://create3000.github.io/x_ite/tutorials/creating-new-node-types/#using-prototyped-nodes
>
> _________________________
> XML Encoding
>
> 1
> 2
> 3
> 4
> 5
> 6
> 7
> 8
> 9
>
>
> <!-- Official Syntax -->
> <ProtoInstance name='BouncingBall'>
> <fieldValue name='cycleInterval' value='2'/>
> <fieldValue name='bounceHeight' value='3'/>
> </ProtoInstance>
> <!-- Short Syntax -->
> <BouncingBall
> cycleInterval='2'
> bounceHeight='3'/>
>
>
> Classic VRML Encoding
>
> 1
> 2
> 3
> 4
>
>
> BouncingBall {
> cycleInterval 2.0
> bounceHeight 3.0
> }
>
>
> _________________________
>
> One drawback with the "short" XML syntax is that it will not pass XML
> DOCTYPE or XML Schema validation, although it still must conform to XML
> well-formed rules. Additional tool-specific capabilities can check for
> such correctness during parsing, of course. Avoiding XML validation
> relaxes quality assurance (QA) for the entire scene, not just that
> prototype instance, and so use of the short form should be considered
> carefully.
>
> Of course there is much merit too, not least of which are readability and
> consistency with other XML-encoded nodes.
>
> As it turns out, now is a good time to consider such a change to the X3D
> Standards suite. We have highly mature documents defining X3D encodings
> using XML and ClassicVRML syntax. Conceivably a "short" form for
> ProtoInstance will carry over satisfactorily for JSON and other encodings
> as well, when we get to them this fall.
>
> If X_ITE and X3DOM already handle this form, and if Castle Model Viewer
> (Castle Game Engine) is also supportive, I'm not yet seeing any blockers to
> adoption. Further implementation and evaluation of course will be useful
>
> Reference and specific clause that would need modification:
>
>
> *
> X3D XML Encoding 4.0<
> https://www.web3d.org/specifications/X3Dv4Draft/ISO-IEC19776-1v4.0-WD1/Part01/X3D_XML.html>
> revision 19776-1
> *
> 4.3.3.2 ProtoInstance node and fieldValue statement syntax
> *
>
> https://www.web3d.org/specifications/X3Dv4Draft/ISO-IEC19776-1v4.0-WD1/Part01/concepts.html#ProtoInstanceAndFieldValueStatement
>
>
> Probably no changes needed:
>
>
> *
> X3D Classic VRML Encoding 4.0<
> https://www.web3d.org/specifications/X3Dv4Draft/ISO-IEC19776-2v4.0-WD1/Part02/X3D_ClassicVRML.html>
> revision 19776-2
> *
> 4.3.3.2 Prototype instances and field value initialization syntax
> *
>
> https://www.web3d.org/specifications/X3Dv4Draft/ISO-IEC19776-2v4.0-WD1/Part02/concepts.html#ProtoInstanceAndFieldValueStatement
>
> *
> X3D Architecture 4.1<
> https://www.web3d.org/specifications/X3Dv4Draft/ISO-IEC19775-1v4.1-CD//Part01/Architecture.html>,
> revision 19775-1
> *
> 4.4.4 Prototype semantics
> *
>
> https://www.web3d.org/specifications/X3Dv4Draft/ISO-IEC19775-1v4.1-CD//Part01/concepts.html#PrototypeSemantics
>
> Thanks for careful consideration of this potential capability. All
> feedback welcome.
>
> Have fun with X3D extensibility! ?
>
> all the best, Don
> --
> Don Brutzman Naval Postgraduate School, Code USW/Br
> brutzman at nps.edu<mailto:brutzman at nps.edu>
> Watkins 270, MOVES Institute, Monterey CA 93943-5000 USA
> +1.831.656.2149
> X3D graphics, virtual worlds, navy robotics
> https://faculty.nps.edu/brutzman
>
>
>
> ________________________________
> From: x3d-public on behalf of Holger Seelig via x3d-public
> Sent: Saturday, May 10, 2025 1:13 AM
> To: X3D
> Cc: Holger Seelig
> Subject: Re: [x3d-public] Simplifying ProtoInstance nodes
>
> This is already possible if you use the ?short syntax? of a proto instance:
>
>
> https://create3000.github.io/x_ite/tutorials/creating-new-node-types/#using-prototyped-nodes
>
> You can use this in X_ITE, but also in X3DOM.
>
> Best regards,
> Holger
>
> --
> Holger Seelig
> Leipzig, Germany
>
> holger.seelig at yahoo.de<mailto:holger.seelig at yahoo.de>
> https://create3000.github.io/x_ite/
> https://patreon.com/X_ITE
>
>
>
> Am 10.05.2025 um 05:55 schrieb John Carlson via x3d-public <
> x3d-public at web3d.org<mailto:x3d-public at web3d.org>>:
>
> My thought is to replace ?ProtoInstance? tags with ?MenuItem? tags, and
> fieldValue statements with attributes, but I?ve not done that before. My
> goal is to make the model more accessible to screen readers.
>
> Any examples are welcome.
>
> See attached link and model.
>
> John
>
> ---------- Forwarded message ---------
> From: John Carlson <yottzumm at gmail.com<mailto:yottzumm at gmail.com>>
> Date: Thu, Mar 6, 2025 at 4:35?PM
> Subject: Latest cleaned Jin FACS (needs metadata)
> To: Don Brutzman <brutzman at nps.edu<mailto:brutzman at nps.edu>>, Joe D
> Williams <joedwil at earthlink.net<mailto:joedwil at earthlink.net>>
>
>
> Attached.
>
> And:
>
> https://create3000.github.io/x_ite/playground/?url=https://raw.githubusercontent.com/coderextreme/ci2had/refs/heads/main/resources/CleanedYouClocks.x3d
>
> John
> <CleanedYouClocks.x3d>_______________________________________________
> x3d-public mailing list
> x3d-public at web3d.org<mailto:x3d-public at web3d.org>
> http://web3d.org/mailman/listinfo/x3d-public_web3d.org
>
> _______________________________________________
> x3d-public mailing list
> x3d-public at web3d.org<mailto:x3d-public at web3d.org>
> http://web3d.org/mailman/listinfo/x3d-public_web3d.org
> _______________________________________________
> x3d-public mailing list
> x3d-public at web3d.org
> http://web3d.org/mailman/listinfo/x3d-public_web3d.org
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://web3d.org/pipermail/x3d-public_web3d.org/attachments/20250512/43904ff2/attachment.html
> >
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> x3d-public mailing list
> x3d-public at web3d.org
> http://web3d.org/mailman/listinfo/x3d-public_web3d.org
>
>
> ------------------------------
>
> End of x3d-public Digest, Vol 194, Issue 43
> *******************************************
>
>
>
> --
> Andreas Plesch
> Waltham, MA 02453
> _______________________________________________
> x3d-public mailing list
> x3d-public at web3d.org
> http://web3d.org/mailman/listinfo/x3d-public_web3d.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://web3d.org/pipermail/x3d-public_web3d.org/attachments/20250512/907cf01f/attachment-0001.html>
More information about the x3d-public
mailing list