W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Re: Seamless iframes + CSS3 selectors = bad idea

From: Maciej Stachowiak <mjs@apple.com>
Date: Tue, 08 Dec 2009 08:10:53 -0800
Cc: gaz Heyes <gazheyes@gmail.com>, Adam Barth <w3c@adambarth.com>, Daniel Glazman <daniel@glazman.org>, Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
Message-id: <FB9F1416-1A26-4D8F-8F56-91DEFFD48BA2@apple.com>
To: sird@rckc.at

On Dec 8, 2009, at 8:05 AM, sird@rckc.at wrote:

> passwords ARE setted some times by some apps (CUPS used it, as well  
> as Motorola's SURFBoard).. I think we loose nothing by forbidding  
> them (wont break existing apps) and we provide security for the ones  
> that do use it..
>
> Anyway, if we block all inputs for me it's fine :)
>
> Regarding the why links:
> <a href="?action=deleteAccount&sesc=1i19471gdh17">Delete this  
> account</a>
>
> I dont propose forbiding all links, just instruct the devs to start  
> using rel=nofollow on sensitive ones or something like that.

I can potentially think of some use cases for styling links based on  
the contents of the href value:

1) Distinctive style to links with specific schemes (https: or ftp:  
for example).
2) Distinctive style for links to a particular server (onsite vs  
offsite).
3) Distinctive style for links to a particular content type, guessed  
based on file extension (put PDF icon next to likely PDFs for instance).

Limiting the restriction to <a rel=nofollow> links would probably not  
overly interfere with these use cases. But do sites do that currently  
for action links containing a secret token of some kind in the URL?

Regards,
Maciej
Received on Tuesday, 8 December 2009 16:11:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT