Re: Initial feedback on XBL2 from Maciej Stachowiak on 2010-09-05 (public-webapps@w3.org from July to September 2010)

From: Maciej Stachowiak <mjs@apple.com>
Date: Sun, 05 Sep 2010 01:34:59 -0700
To: Chris Lilley <chris@w3.org>
Cc: Adam Barth <w3c@adambarth.com>, Ian Hickson <ian@hixie.ch>, public-webapps@w3.org, hyatt@apple.com
Message-id: <581CCCEE-56A0-4C17-BECC-ABC15E4065B0@apple.com>

On Sep 5, 2010, at 1:22 AM, Chris Lilley wrote:

> On Sunday, September 5, 2010, 4:00:20 AM, Adam wrote:
> 
>>> body { binding: url(example.xbl#nav-then-main); }
> 
> AB> Adding active content via CSS is bad for security.  For example, IE
> AB> has removed support for CSS expressions (which execute script) and
> AB> Mozilla has removed support for XBL bindings, which, like this
> AB> proposal, would allow for script execution from CSS.  Perhaps we
> AB> should consider a more secure mechanism for invoking the binding.
> 
> In the light of that browser implementor feedback about the drawbacks of using CSS to add active content, maybe another method should be chosen. XPath for example might be useful here.

Adam's comments are about binding with a stylesheet, not Selectors. XBL2 provides binding mechanisms that do not involve a stylesheet at all. The last thing we need is to have the Selectors vs. XPath discussion again.

Regards,
Maciej

Attachments

image/jpeg attachment: textmining-worms-copy.jpg

Received on Sunday, 5 September 2010 08:35:36 UTC