W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

Re: Initial feedback on XBL2

From: Maciej Stachowiak <mjs@apple.com>
Date: Sun, 05 Sep 2010 01:34:59 -0700
Cc: Adam Barth <w3c@adambarth.com>, Ian Hickson <ian@hixie.ch>, public-webapps@w3.org, hyatt@apple.com
Message-id: <581CCCEE-56A0-4C17-BECC-ABC15E4065B0@apple.com>
To: Chris Lilley <chris@w3.org>

On Sep 5, 2010, at 1:22 AM, Chris Lilley wrote:

> On Sunday, September 5, 2010, 4:00:20 AM, Adam wrote:
> 
>>> body { binding: url(example.xbl#nav-then-main); }
> 
> AB> Adding active content via CSS is bad for security.  For example, IE
> AB> has removed support for CSS expressions (which execute script) and
> AB> Mozilla has removed support for XBL bindings, which, like this
> AB> proposal, would allow for script execution from CSS.  Perhaps we
> AB> should consider a more secure mechanism for invoking the binding.
> 
> In the light of that browser implementor feedback about the drawbacks of using CSS to add active content, maybe another method should be chosen. XPath for example might be useful here.



Adam's comments are about binding with a stylesheet, not Selectors. XBL2 provides binding mechanisms that do not involve a stylesheet at all. The last thing we need is to have the Selectors vs. XPath discussion again.

Regards,
Maciej



textmining-worms-copy.jpg
(image/jpeg attachment: textmining-worms-copy.jpg)

Received on Sunday, 5 September 2010 08:35:36 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:40 GMT