- From: Daniel Glazman <daniel@glazman.org>
- Date: Tue, 08 Dec 2009 10:04:03 +0100
- To: Thomas Roessler <tlr@w3.org>
- Cc: public-web-security@w3.org
Thomas Roessler wrote: > Part of the community has been asking questions about the ever > growing expressive power of CSS (and its impact on Web security) > for a while now. I strongly suggest taking that part of the > community seriously now, instead of facing problems later. First the CSS WG members easily accept the fact they're not security experts. So we clearly rely on YOU guys. Second, :visited is more than 13 years old. Attribute selectors are 11 years old. Both have been implemented and shipped by mainstream browsers for ages. And it's the CSS WG that takes problems late? Come on, give me a break. We make our specs just like any other WG. We call for comments and are all ears. But telling us that a 11 years old feature implemented in mozilla since march 2001 (I know the date because _I_ did it) is dangerous and should be removed because too powerful on the basis it can be injected seems to me insane. The problem here is injection or cross-site references, not CSS itself. If the idea is to make cross-linking of stylesheets impossible, I will strongly fight that proposal because of its major impact on web-based applications. gaz Heyes said it clearly, I quote: "The scenario is a web site allows user to place a external stylesheet". External and uncontrolled resources are dangerous, we all agree on that. </Daniel>
Received on Tuesday, 8 December 2009 09:04:43 UTC