> The basic requirements for a 3d viewer extension (somewhat pulled out
> hat, so some people might have different
> *Secure (obviously very important. No one wants xss in a media viewer.
> also includes other things like not making
network fetches on the server
> (this came up in the past with some file formats allowing additional
referenced by url))
I understand XSS but sorry I, din't really get the second part. :(
i'm not all that familar with 3d-stuff so this might not apply, but an
example of this issue in 2d world is svg files. They can include external
embedded images (ie they can include an instruction saying show image from
the following url). We turn svgs into pngs on the server side, but disable
that feature as we dont want our webservers making http requests to random
sites to retrieve the embedded image. (E.g. someone could upload an svg
with the hope it will be rendered a lot, and DOS the server where it embeds
the image from).
Hope that clarifies what i meant.