- From: Lincoln Yeoh <lyeoh@pop.jaring.my>
- Date: Mon, 13 May 2002 12:37:51 +0800
- To: www-html@w3.org
Hi, Is there a tag to tell the browser to turn off/ignore active content especially for security reasons (I know it's debateable what active content is, but scripts and active-x would be a good start). By turning "off" I don't mean that stuff that is already running should be turned off. It is more of telling the browser to ignore active content between certain points (active content quoting). If not, I'm suggesting something like: <activeoff lock="Random_hard_to_guess_string" except="java"> browser deactivates active content modules/parsers except for java. content here. Active content not displayable (except for java). </activeoff lock="wrong_string"> Still no active content displayable. </activeoff lock="Random_hard_to_guess_string"> (I'd like to drop the except option but I'm putting it there for feedback - it could be useful for those who know what they are doing - they are confident of filtering certain types of active content safely). Apparently the above is not XML/XHTML compliant, if it isn't I'm sure other alternatives would do, the main thing is to be able to tell the browser to switch things off and back on. The alternative tag(s) could then be something like a self closing <br/> tag. I'm open to suggestions on XML compliant methods. Why I am suggesting this is because there are so many methods to turn things on, whilst there are rather few methods to turn things off. It's not intended to globally effective right from the start, but rather setting things in place for the future - so that at least one day we will have some way to turn things off. For as features keep getting added, the filtering parsers could increase in complexity and resource usage, and likely decrease in effectiveness. Also what the browser's parser sees is not necessarily what the website's filtering parser sees. By having this feature in place, in the future if it becomes impractical to filter everything out (resource, etc), at least there is a safety net for the browser to fall back on. Furthermore if a brand new safe feature is added, there could be a way for existing websites to allow it safely. Otherwise the only safe view left won't support it - it'll be automatically turned off by a paranoid filtering parser (filters out everything except known safe tags). Regards, Link.
Received on Monday, 13 May 2002 00:25:21 UTC