W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: XSLT style sheets

From: Brian Smith <bsmith@mozilla.com>
Date: Tue, 14 Jun 2011 12:24:20 -0700 (PDT)
To: Brandon Sterne <bsterne@mozilla.com>
Cc: public-web-security@w3.org, Adam Barth <w3c@adambarth.com>
Message-ID: <627152518.204508.1308079460629.JavaMail.root@zimbra1.shared.sjc1.mozilla.com>
Brandon Sterne wrote:
> Adam Barth wrote:
> > I'd lump them in with script-src. The problem is that they're
> > somewhat obscure and authors aren't going to understand the security
> > implications. If you and I didn't get it right the first time, what
> > chance do author's have?
> 
> Okay, this sounds fine. Giorio seems to agree. I'll wait to see if
> there are objections, otherwise I'll make this change. It is troubling
> that some of these technologies are so poorly understood, even by us
> "experts".

+1. Yesterday, Brandon and I discussed an extension to the object-src syntax to allow it to be refined by mime type:

     object-src [application/x-shockwave-flash] flashsite.org
                [application/x-java-applet]     javasite.org

script-src could be done the same way:

     script-src [application/application/xslt+xml] xsltsite.org
                [application/javascript]           javascriptsite.org

- Brian
Received on Tuesday, 14 June 2011 19:24:47 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC