W3C home > Mailing lists > Public > www-style@w3.org > August 2000

Re: Behavior, scripts, CSS

From: Ian Graham <igraham@smaug.java.utoronto.ca>
Date: Tue, 8 Aug 2000 11:50:13 -0400
To: Matthew Brealey <webmaster@richinstyle.com>
cc: www-style@w3.org
Message-ID: <Pine.SGI.4.05.10008081132580.925-100000@smaug.java.utoronto.ca>

On Tue, 8 Aug 2000, Matthew Brealey wrote:

> Simon St.Laurent wrote:
> > 
> > ActiveX controls let you format your hard drive from any script - this
> > isn't a hazard peculiar to including scripts in CSS.  
> 
> For me, that isn't so much the point as the fact that scripts that kill
> your PC have no place in *style* sheets, since style sheets are about
> formatting whereas trashing PCs most definitely is not.
> 
Generally I never agree with Mathew ( ;-) ) but in this case I do
wholeheartedly.  CSS was never intended to be more than a declarative
language for layout and formatting, and it certainly makes little sense at
this point to break with that model by introducing programmability in ad
hoc ways.

However, what's done (HTC, etc.) is done. Whether this was the best way is
more or less irrelevant now, since it's a done deed.

Independent of this, however, is the fact that application design requires
scripts that can interact with CSS properties and with XML (or HTML) data
structures, and that can bind functionality to code resident on the
browser. Whether this is done via SCRIPT elements from HTML, some other
mechanism from XML, or behavior: from CSS really doesn't matter -- the
result is the same sort of security problem.

So the real problem, as I see it, is developing a security model that can
handle security issues indepenent of how a downloaded script is invoked.

Ian
Received on Tuesday, 8 August 2000 11:50:20 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 27 April 2009 13:54:05 GMT