W3C home > Mailing lists > Public > www-html@w3.org > May 2002

Re: Tag to turn off active content?

From: Lincoln Yeoh <lyeoh@pop.jaring.my>
Date: Mon, 13 May 2002 21:38:46 +0800
Message-Id: <5.1.0.14.1.20020513210503.0305ac00@192.228.128.13>
To: "Sven Latham" <sven.latham@doihavetime.com>, <www-html@w3.org>
It's more of tag to help security, especially when (but not limited to) 
displaying content from 3rd parties.

The whole idea is so that the website can _explicitly_ tell the browser 
that something shouldn't be there, so that even if it somehow slips through 
filters and controls, the browser still knows it's not supposed to be, so 
it can ignore it.

Most of the security issues faced by browsers nowadays come from active 
content (one of the propagation paths for some recent worms). However most 
users are unlikely to turn off active content at their browsers, and there 
are cases where it may be desirable for a website to use active content, 
but at the same time not desirable for active content to be active in 3rd 
party content displayed (e.g. webmail applications, community websites, 
chat, news feeds etc).

Sure filtering and parsing of 3rd party content will remain necessary, 
however as far as I see there are no guarantees that the filtering would be 
effective. And by increasing the filter paranoia level, some useful 
features might be lost. Thus the noactive tag would provide a useful safety 
net.

There also have been many cases where sites have been tricked into 
displaying 3rd party content.

Regards,
Link.

At 01:12 PM 5/13/02 +0100, Sven Latham wrote:
>Hi,
>
>I hope I understood your email correctly, (and that mine makes some sense!)
>
>Although it would be a nice feature to be able to turn on/off certain
>parsers at will, surely this should be a decision taken by the rendering
>software rather than the markup author? I understand that by disabling
>parsers and extras (Java VM, Flash, etc.) it would prevent pointless loading
>of such extras, but if anything this should be a choice made on the client
>side instead.  For example, you cite that resources would be an issue.
>Instead of the X/HTML author determining that no Javascript exists on a
>page, the browser should be intelligent enough not to load the JS parser in
>the first place on the basis that it doesn't encounter <script
>language="Javascript"> tags in that page.  If processor time were a concern
>then much better the software allow it's user to disable particular
>'modules' than each web author explicitly list said module as disabled.  By
>the same token, that would rely on every web author denying the module in
>order for resources to stay down - again, easier just for the software to
>allow the end user to disable it!
>
>I suspect (and hope) that browsers nowadays are far more sensible than to
>load every module, the Java VM, Javascript, VB Script parsing, Flash, etc.
>immediately and for every page (I don't pretend to know much about software
>engineering or the inner workings, but to a layperson this would appear to
>make perfect sense!), instead only loading the module when it is required.
>Therefore the solution for a web author to avoid the Flash module loading,
>is simply not to have any Flash in their page.
Received on Monday, 13 May 2002 09:26:20 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:15:51 GMT