W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

Re: Initial feedback on XBL2

From: Chris Lilley <chris@w3.org>
Date: Sun, 5 Sep 2010 10:22:24 +0200
Message-ID: <1353002399.20100905102224@w3.org>
To: Adam Barth <w3c@adambarth.com>
CC: Ian Hickson <ian@hixie.ch>, public-webapps@w3.org, hyatt@apple.com
On Sunday, September 5, 2010, 4:00:20 AM, Adam wrote:

>> body { binding: url(example.xbl#nav-then-main); }

AB> Adding active content via CSS is bad for security.  For example, IE
AB> has removed support for CSS expressions (which execute script) and
AB> Mozilla has removed support for XBL bindings, which, like this
AB> proposal, would allow for script execution from CSS.  Perhaps we
AB> should consider a more secure mechanism for invoking the binding.

In the light of that browser implementor feedback about the drawbacks of using CSS to add active content, maybe another method should be chosen. XPath for example might be useful here.


-- 
 Chris Lilley   Technical Director, Interaction Domain                 
 W3C Graphics Activity Lead, Fonts Activity Lead
 Co-Chair, W3C Hypertext CG
 Member, CSS, WebFonts, SVG Working Groups
Received on Sunday, 5 September 2010 08:22:39 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:40 GMT