[x3d-public] cyclic

Don Brutzman don.brutzman at gmail.com
Sun Mar 29 14:39:03 PDT 2026 

Thank you for bringing this up Doug.  It is a significant attack vector
that browsers ought to protect against.  I recommend adding a parse-time
test for USE node references to ensure that they do not point to a
self-referential direct ancestor.

Relevant specification sections:

   - X3D Architecture 4.1 draft — ISO/IEC 19775-1:202x — 4 Concepts
   <https://www.web3d.org/specifications/X3Dv4Draft/ISO-IEC19775-1v4.1-CD//Part01/concepts.html#DEF_USE_Semantics>

4.4.3 DEF/USE semantics

Node DEF names are limited in scope to a single X3D file, prototype
definition, or string submitted to either CreateX3DFromString,
CreateX3DFromStream, or CreateX3DFromURL X3D browser service (as specified
in ISO/IEC 19775-2
<https://www.web3d.org/specifications/X3Dv4Draft/ISO-IEC19775-1v4.1-CD/references.html#I19775_2>
).

The USE statement does not create a copy of the node identified by a DEF
name. Instead, the same node is inserted into the scene graph a second
time, resulting in the node having multiple parents (see 4.3.5
Transformation hierarchy
<https://www.web3d.org/specifications/X3Dv4Draft/ISO-IEC19775-1v4.1-CD//Part01/concepts.html#TransformationHierarchy>,
for restrictions on self-referential nodes).

Node names shall be unique in the context within which the associated DEF
name occurs. Any USE node reference without a corresponding DEF, within the
scope of the current scene or prototype declaration, is an error.

NOTE   DEF names are not required to precede USE reference

   -
   https://www.web3d.org/specifications/X3Dv4Draft/ISO-IEC19775-1v4.1-CD//Part01/concepts.html#TransformationHierarchy

4.3.5 Transformation hierarchy

The transformation hierarchy includes all of the root nodes and root node
descendants that are considered to have one or more particular locations in
the virtual world. X3D includes the notion of *local coordinate systems*,
defined in terms of transformations from ancestor coordinate systems. The
coordinate system in which the root nodes are displayed is called the *world
coordinate system*.

An X3D browser's task is to present an X3D file to the user; it does this
by presenting the transformation hierarchy to the user. The transformation
hierarchy describes the directly perceptible parts of the virtual world.

Some nodes, such as sensors and environmental nodes, are in the scene graph
but not affected by the transformation hierarchy. These include
CoordinateInterpolator
<https://www.web3d.org/specifications/X3Dv4Draft/ISO-IEC19775-1v4.1-CD//Part01/components/interpolators.html#CoordinateInterpolator>
, Script
<https://www.web3d.org/specifications/X3Dv4Draft/ISO-IEC19775-1v4.1-CD//Part01/components/scripting.html#Script>
, TimeSensor
<https://www.web3d.org/specifications/X3Dv4Draft/ISO-IEC19775-1v4.1-CD//Part01/components/time.html#TimeSensor>,
and WorldInfo
<https://www.web3d.org/specifications/X3Dv4Draft/ISO-IEC19775-1v4.1-CD//Part01/components/core.html#WorldInfo>
.

Some nodes, such as Switch
<https://www.web3d.org/specifications/X3Dv4Draft/ISO-IEC19775-1v4.1-CD//Part01/components/grouping.html#Switch>
 or LOD
<https://www.web3d.org/specifications/X3Dv4Draft/ISO-IEC19775-1v4.1-CD//Part01/components/navigation.html#LOD>,
contain a list of children, of which at most one is traversed during
rendering. However, for the purposes of computing scene position, all
children of these nodes are considered to be part of the transformation
hierarchy, whether they are traversed during rendering or not. For
instance, a Viewpoint
<https://www.web3d.org/specifications/X3Dv4Draft/ISO-IEC19775-1v4.1-CD//Part01/components/navigation.html#Viewpoint>
node
which is a child of a Switch whose whichChoice field is set to -1
(indicating that none of its children should be traversed during rendering)
still uses the local coordinate space of the Switch to determine its
position in the scene.

The transformation hierarchy shall be a directed acyclic graph; a node in
the transformation hierarchy that is its own ancestor is considered invalid
and shall be ignored. The following is an example of a node in the scene
graph that is its own ancestor:

DEF T Transform {
    children [
       Shape { ... }
       USE T
    ]
}

For easy reference, I have added this to

   - X3D Resources, Security, Vulnerabilities
   -
   https://www.web3d.org/x3d/content/examples/X3dResources.html#Vulnerabilities

Be Careful with Secure X3D!  🔐

all the best, Don
-- 
X3D Graphics, Maritime Robotics, Distributed Simulation
Relative Motion Consulting  https://RelativeMotion.info


On Sun, Mar 29, 2026 at 11:02 AM GPU Group via x3d-public <
x3d-public at web3d.org> wrote:

> There doesn't seem to be anything to stop a scene from being cyclic --
> freewrl has no defense against it, and simply crashes likely from stack
> overflow.
> -Doug
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE X3D PUBLIC "ISO//Web3D//DTD X3D 3.0//EN" "
> http://www.web3d.org/specifications/x3d-3.0.dtd">
> <X3D profile='Interchange'>
> <head>
> </head>
>
> <Scene>
>  <Group DEF='CYCLIC'>
>   <Shape >
>     <Appearance >
> <Material />
>     </Appearance>
>     <Cone />
>   </Shape>
>   <Group USE='CYCLIC'/>
>  </Group>
> </Scene>
> </X3D>
>
> _______________________________________________
> x3d-public mailing list
> x3d-public at web3d.org
> http://web3d.org/mailman/listinfo/x3d-public_web3d.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://web3d.org/pipermail/x3d-public_web3d.org/attachments/20260329/0e7dc854/attachment-0001.html>

More information about the x3d-public mailing list