Tag to turn off active content? from Lincoln Yeoh on 2002-05-13 (www-html@w3.org from May 2002)

From: Lincoln Yeoh <lyeoh@pop.jaring.my>
Date: Mon, 13 May 2002 12:37:51 +0800
To: www-html@w3.org
Message-Id: <5.1.0.14.1.20020513121212.03736820@192.228.128.13>

Hi,

Is there a tag to tell the browser to turn off/ignore active content 
especially for security reasons (I know it's debateable what active content 
is, but scripts and active-x would be a good start). By turning "off" I 
don't mean that stuff that is already running should be turned off. It is 
more of telling the browser to ignore active content between certain points 
(active content quoting).

If not, I'm suggesting something like:

<activeoff lock="Random_hard_to_guess_string" except="java">
browser deactivates active content modules/parsers except for java.
content here. Active content not displayable (except for java).
</activeoff lock="wrong_string">
Still no active content displayable.
</activeoff lock="Random_hard_to_guess_string">

(I'd like to drop the except option but I'm putting it there for feedback - 
it could be useful for those who know what they are doing - they are 
confident of filtering certain types of active content safely).

Apparently the above is not XML/XHTML compliant, if it isn't I'm sure other 
alternatives would do, the main thing is to be able to tell the browser to 
switch things off and back on. The alternative tag(s) could then be 
something like a self closing <br/> tag. I'm open to suggestions on XML 
compliant methods.

Why I am suggesting this is because there are so many methods to turn 
things on, whilst there are rather few methods to turn things off. It's not 
intended to globally effective right from the start, but rather setting 
things in place for the future - so that at least one day we will have some 
way to turn things off.

For as features keep getting added, the filtering parsers could increase in 
complexity and resource usage, and likely decrease in effectiveness. Also 
what the browser's parser sees is not necessarily what the website's 
filtering parser sees. By having this feature in place, in the future if it 
becomes impractical to filter everything out (resource, etc), at least 
there is a safety net for the browser to fall back on.

Furthermore if a brand new safe feature is added, there could be a way for 
existing websites to allow it safely. Otherwise the only safe view left 
won't support it - it'll be automatically turned off by a paranoid 
filtering parser (filters out everything except known safe tags).

Regards,
Link.

Received on Monday, 13 May 2002 00:25:21 UTC