models must not be allowed to download external content

[cabanier]

Because models loaded through a tag behave a lot like an image that has an <svg> source, the same limitations must apply.
See the SVG integration spec on what things are allowed and forbidden in such a context.
Basically, we don't want to load external resources because they allow ping backs to the creator of the model.

Maybe we relax access to interactivity if CORS is enabled.

[donmccurdy]

I wanted to flag a connection to #49 here. For portability reasons, glTF has the ability to define 'fallback' data for compressed textures and geometry. If the author wants to define compressed textures (KTX2, WebP) or geometry (Draco, Meshopt) using glTF extensions, but doesn't know for sure that all clients loading that asset will support these extensions, they can include uncompressed data as a fallback. To avoid downloading both the compressed and uncompressed data, we want that fallback uncompressed data to be external:

• scene.gltf
  • shared.bin
  • geometry_compressed.bin
  • geometry_uncompressed.bin
  • texture_compressed.ktx2
  • texture_uncompressed.png

If model element doesn't have the ability to download external content, it becomes more important that the element be able to signal to the user agent that two models (of the same format) require different features/extensions/capabilities. These capabilities make a huge difference in the downloaded file size, and the GPU memory consumption while rendering.

In current use on the web, I believe it's more common for users to define multiple versions of the entire asset (e.g. scene_compressed.glb / scene_uncompressed.glb) and to fetch one or the other, rather than relying on fallback data within the asset. That is fine as long as the model element provides some way to either declare the features required by the asset, or detect features supported by the user agent, when defining the source URLs.

[cabanier]

Having switches inside a format that trigger downloads on specific user agent abilities would be a security nightmare.
For instance, it could be used to determine the class of machine if more powerful machines support more complex extensions.

I think there was some discussion that there should be a special version of gltf/usd for the web and this would be another good reason.

[donmccurdy]

I think it's reasonable to disallow external content. By convention, the binary form of glTF (.glb) is usually self-contained already. However, I hope some means of using information about whether the user agent supports certain classes of extensions — particularly compression codecs — can be provided. Compression commonly makes a 20x difference in the size of mesh geometry. Disallowing external content increases the need for something like #49.

[marcoscaceres]

Are we sure that document isn't obsolete? Seems that fetching be would be governed by HTML (and SVG itself).

[cabanier]

Are we sure that document isn't obsolete? Seems that fetching be would be governed by HTML (and SVG itself).

I'm sure :-)
SVG when used as an image source is not allowed to access external content cc @heycam