- From: Lincoln Yeoh <lyeoh@pop.jaring.my>
- Date: Wed, 15 May 2002 03:23:34 +0800
- To: Andrew Clover <and@doxdesk.com>, www-html@w3.org
At 03:42 PM 5/14/02 +0000, Andrew Clover wrote: >The 'lock' feature as proposed is clearly incompatible with both XML >and SGML, but could maybe be accommodated by using separate >empty on and off tags - > > <activeoff lock="x" /> > <activeon lock="x" /> As long as there's a way to turn the darn things off :). >I'm still not convinced this is desirable though. It might be easier just to >have an <activeoff /> element on its own kill all further scripting in a >page. Authors could still script things that need to be scripted by having >a script linked to above, which access elements afterwards through >the DOM. Some authors may still want to put javascript stuff (mouseovers, window opens) after the 3rd party content. So if you don't have a "turn things back on" tag, these stuff can't and shouldn't work. Anyway it is likely to be closer to the browser parser level and not a real module deactivation since the idea is already running scripts would continue running. Brutally killing the module can probably cause problems. >In the end, it would not solve the complete problem, as there are more >things you can do with inadequately-filtered content than just scripting >and object inclusion. But it would definitely reduce the potential for >security breaches. Of course the *best* thing is still to have the site >author subject user-submitted content to a very restrictive set of markup >rules. But it can be a tricky job and at the moment most authors can't >or won't do it. Yes it's not a complete solution. It's a safety net. And the idea is to at least create some space/scope/debate for "off switches" for the future. Right now almost everything is for activating things- it's almost like we have many accelerator pedals but no brake pedal! "You want to stop? Easy just remove foot from every pedal". I'm just trying to propose room for at least one brake/slowdown pedal somewhere! I figure it would come in handy, probably not immediately, but at least later. If the idea for a "brake pedal" catches on, then at least in the future there could be scope for more such tags. Apparently Microsoft has a security tag for IFRAMEs. But there are some disadvantages with that. Cheerio, Link.
Received on Tuesday, 14 May 2002 15:11:14 UTC