W3C home > Mailing lists > Public > www-html@w3.org > September 2007

Re: Tag to disable unwanted features?

From: Lincoln Yeoh <lyeoh@pop.jaring.my>
Date: Tue, 25 Sep 2007 01:31:46 +0800
Message-Id: <200709241735.l8OHZToT069294@smtp4.jaring.my>
To: www-html@w3.org
Cc: David Woolley <forums@david-woolley.me.uk>, fernando@beford.org, security@google.com

At 02:55 AM 8/10/2007, Lincoln Yeoh wrote:

>Hi,
>
>I think it's way overdue to have a security oriented tag to disable 
>unwanted features. I proposed something like this here 5 years ago 
>(2002) [1], and I'm back here to propose it again.
>
>Recap on why such tags are needed:
>
>Say you run a site (webmail, myspace (remember the worm?), bbs etc) 
>that is displaying content from 3rd parties (spammers, attackers) to 
>unknown browsers (with different parsing bugs/behaviour).

After a month and a half, add gmail and friends, see: 
http://blog.beford.org/?p=3

I suggest the problem would be smaller, if we had started to fix 
things 5 years ago, after all:

>With such tags you can give hints to the browsers to disable 
>unwanted stuff between the tags, so that even if your site's 
>filtering is insufficient (doesn't account for a problem in a new 
>tag, or the browser interprets things differently/incorrectly), a 
>browser that supports the tag will know that stuff is disabled, and 
>thus the exploit fails.

We've got stuff like "ping", "time" attributes in HTML5.

So what does it take to get a "tag/element to disable unwanted features"[2]?

:)

Link.

[1] http://lists.w3.org/Archives/Public/www-html/2002May/0021.html

[2] http://www.mail-archive.com/mozilla-security@mozilla.org/msg01448.html

http://lists.w3.org/Archives/Public/www-html/2007Aug/0008.html
Received on Monday, 24 September 2007 17:36:25 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 10 December 2014 20:01:24 UTC