W3C home > Mailing lists > Public > www-html@w3.org > May 2002

Re: Tag to turn off active content?

From: Lincoln Yeoh <lyeoh@pop.jaring.my>
Date: Wed, 15 May 2002 03:23:34 +0800
Message-Id: <5.1.0.14.1.20020515025321.03767560@192.228.128.13>
To: Andrew Clover <and@doxdesk.com>, www-html@w3.org
At 03:42 PM 5/14/02 +0000, Andrew Clover wrote:
>The 'lock' feature as proposed is clearly incompatible with both XML
>and SGML, but could maybe be accommodated by using separate
>empty on and off tags -
>
>   <activeoff lock="x" />
>   <activeon lock="x" />

As long as there's a way to turn the darn things off :).

>I'm still not convinced this is desirable though. It might be easier just to
>have an <activeoff /> element on its own kill all further scripting in a
>page. Authors could still script things that need to be scripted by having
>a script linked to above, which access elements afterwards through
>the DOM.

Some authors may still want to put javascript stuff (mouseovers, window 
opens) after the 3rd party content. So if you don't have a "turn things 
back on" tag, these stuff can't and shouldn't work.

Anyway it is likely to be closer to the browser parser level and not a real 
module deactivation since the idea is already running scripts would 
continue running. Brutally killing the module can probably cause problems.


>In the end, it would not solve the complete problem, as there are more
>things you can do with inadequately-filtered content than just scripting
>and object inclusion. But it would definitely reduce the potential for
>security breaches. Of course the *best* thing is still to have the site
>author subject user-submitted content to a very restrictive set of markup
>rules. But it can be a tricky job and at the moment most authors can't
>or won't do it.

Yes it's not a complete solution. It's a safety net. And the idea is to at 
least create some space/scope/debate for "off switches" for the future.

Right now almost everything is for activating things- it's almost like we 
have many accelerator pedals but no brake pedal! "You want to stop? Easy 
just remove foot from every pedal". I'm just trying to propose room for at 
least one brake/slowdown pedal somewhere! I figure it would come in handy, 
probably not immediately, but at least later. If the idea for a "brake 
pedal" catches on, then at least in the future there could be scope for 
more such tags.

Apparently Microsoft has a security tag for IFRAMEs. But there are some 
disadvantages with that.

Cheerio,
Link.
Received on Tuesday, 14 May 2002 15:11:14 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:15:51 GMT