W3C home > Mailing lists > Public > www-html@w3.org > May 2001

RE: [www-html] Frame parent access control proposal (was: [ no su bject at all ])

From: Jelks Cabaniss <jelks@jelks.nu>
Date: Thu, 24 May 2001 02:03:52 -0400
To: <www-html@w3.org>
Message-ID: <000001c0e417$4f81c7e0$6401a8c0@alex1.va.home.com>
Brian wrote:

> > I think that security should be included in the DOM and 
> > HTML, and it should address especially: cross-domain 
> > access of elements in IFrames, among other things.

>   [DJW:]  Noting that all forms of frames are discouraged by
>   HTML 4.0 and XHTML 1.0 and are not allowed at all by ISO HTML
>   and XHTML 1.1, Iframe, in particular, is a form of link, and
>   the W3C philosophy appears to be to encourage the web, 
>   which means, essentially, to encourage the use of off site 
>   links.

> The security is, for instance, to stop a site from being able 
> to get your banks statement from inside a frame. Also, HTML 
> and the DOM are so linked that you can't talk about a 
> security model without it pertaining to HTML and the DOM.

A browser vendor will certainly have to worry about security issues, but
someone authoring in HTML shouldn't have to -- all they're doing is
marking up text.

Remember the scope of HTML -- a *markup* language, for marking up
*documents*;  security, SSL, etc., fall outside this scope (that's one
reason why frames were so problematical in the first place: they tried
to bring windowing technology -- and correlary security issues -- into
document markup).  DOM is also a separate thing: it can be useful to
access and manipulate HTML content, but HTML is certainly not dependent
on any DOM. 

(... This despite the onwhatever() event handlers in HTML 4.x which a
number of people feel were superfluous, since it could be done in script
*if* -- and only if -- a user wanted to take advantage of them.  Note
that Lynx and other browsers with Javascript disabled don't give a hoot
about any damn DOM :).


/Jelks
Received on Thursday, 24 May 2001 02:04:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:15:48 GMT