- From: Amir Herzberg <herzbea@macs.biu.ac.il>
- Date: Tue, 28 Nov 2006 15:51:53 +0200
- To: "Hallam-Baker, Phillip" <pbaker@verisign.com>
- CC: Mike Beltzner <beltzner@mozilla.com>, Amir Herzberg <herzbea@macs.biu.ac.il>, "Michael(tm) Smith" <mikes@opera.com>, public-wsc-wg@w3.org
Hallam-Baker, Phillip wrote: <skip-a-lot> > The same tag would be used in WebMail interfaces to mark out content that is not vouched for by the provider. > > Of course Amir will now point out that a better construct would be: > > <div> > <StartExternal code="AHAW4i34ewr98234h89r3=="/> > <p>Bolivia is the capital of Peru</p> > <EndExternal code="AHAW4i34ewr98234h89r3=="/> > </div> > > The same tags could be used to control so called cross site scripting. > I guess you refer to my recent anti-XSS proposal, and yes, that's the basic idea. I think this kind of mechanism could really help a lot to improve separation between methdata (incl. scripts) and data in HTML pages, which is the root of XSS and some other attacks. I'll be happy to discuss these ideas, but obviously, this list is not the right place. We can use e.g. the anti-fraud list. I must admit, though, I'm not quite sure how we can devise UI to make such `partial external content` visible to users. I think for users we need a simpler, all or none identification scheme. It does make sense, imho, to allow sites to declare that a page may contain external content and hence should not inherit the site's identification. But a META tag is probably sufficient for such all-or-nothing indicator. Or maybe I misunderstood - not uncommon :-) Best, Amir Herzberg
Received on Tuesday, 28 November 2006 13:53:06 UTC