#775: CORS Requirement for 3rd party sources in <model> tag
Discussions
2022-10-10
Peter: a lot of extra overhead if we don't require it....
Peter: Domenic filed an issue in webkit.. model
Sangwhan: I'm not entirely convinced that a declarative model is ok because these are massive payloads... It's ok that there's a tag for it - but I see issues with the implicity fetch kicking in... What are the benefits of having that implicitly fetched?
Dan: good that it's in immersive web... it also allows you to easily add 3d models to your pages... good for long tail..
Peter: yes. their draft report has a lot of blank sections... I think it's good. I'd like us to do a more thorough review.
Sangwhan: [on CORS] - the XR folks don't want CORS.. they want TAG to weigh in because there is disssagrement within the group. But a lot of them don't. Thinking about it : only benefit I see is from a maintainability perspectibve - having another carved out loading model for this would probably not be good. User needs are more important. They suggest no-cors is better for user needs. Anne thinks they should use CORS.
Yves: it's more consistent with the platform.
Sangwhan: single, unified fetch model with the tested security guarantees. But if you carve out a special loading mechanism then it's yet another thing that has to be tracked as a special case.
Rossen: that sounds like a good reason of why they should use CORS.
Peter: Not buying that it's better for users -- it may be better for developers but possibly worse for users due to security issues.. Currently you can't render a model into a canvas .. but when someone adds that then we would need CORS. I think the default should be CORS. "CORS is the security model of the web. If you don't want to use it then you need to justify why..."
Rossen: We have a principle?
Peter: no but there is an issue...
Rossen: on their issue 15... 2d resources can fetch resources...
Peter: More of a CSP issue.
Sangwhan to leave short comment
Rossen: is the intent here to enable some of the distributed app model type of resource sharing? So I can provide my own models... as part of ...
Dan: interacting with a 3d model in a declarative way...
Rossen: Domenic said CORS is foundational mechanism for enforcing the same origin policy.
Dan: good to know we are aligned.
and closed
2022-10-10
Peter: image, video and audio all predated CORS - would we require CORS now if we were adding them? I think the answer is yes.
Dan: I agree.
Rossen: sounds sensible.
Hadley: me too.
Yves: for consistency it would be good to have CORS for everything. Img, etc.. are weird in that regard...
Peter: think of it like https...
Peter: 2nd question: should it be restricted to secure contexts?
Dan: yes.
Peter: haven't seen any mention of it...
Dan leaves 2 comments
Dan: let's wait til plenary to get wider TAG consensus...
OpenedSep 16, 2022
Wotcher TAG!
I'm requesting the TAG express an opinion on a dispute related to: Whether the model tag should require CORS for 3rd party sources.
We recommend the explainer to be in Markdown.
Explanation of the issue that we'd like the TAG's opinion on:
Model is like a media element, other media elements like
<img>,<video>and<audio>can play without CORS but there seems to be a pattern for newer APIs to require it like<script type="module">vs<script>.Links to the positions of each side in the dispute, this was amicably discussed at TPAC 2022
What steps have already been taken to come to an agreement: Discussion weighing security issues with benefits to users. Couldn't really settle on best answer and thought if the requiring CORS is the modern way of doing it then that that is what we should go with.
We'd prefer the TAG provide feedback as (please select one):
Thank you,
Ada Rose Cannon, Immersive Web co-chair.