W3C home > Mailing lists > Public > www-style@w3.org > January 2003

Re: Another view (sorry) on XBL and behaviours

From: Ian Hickson <ian@hixie.ch>
Date: Mon, 6 Jan 2003 17:20:15 +0000 (GMT)
To: Shelby Moore <shelby@coolpage.com>
Cc: "www-style@w3.org" <www-style@w3.org>
Message-ID: <Pine.LNX.4.21.0301061708040.4908-100000@dhalsim.dreamhost.com>

On Mon, 6 Jan 2003, Shelby Moore wrote:
>>>
>>> From a security point of view, allowing links to active content in
>>> styles is dangerous. Stylesheets are expected by many to be free
>>> of active content, and are allowed in places such as
>>> user-submitted content, HTML e-mail etc.
>>
>> This is a very valid concern, and is very much of interest to me.
>>
>> There are several possible solutions.
>>
>> One is to suggest to the XML team that a new attribute be
>> introduced, xml:scripting or some such, which could indicate that
>> everything from that element and deeper should be unable to execute
>> associated script.
> 
> Oh that is just great idea!
> 
> Now XBL will require changes in every major W3C standard (DOM, CSS, XML).

Actually I believe this problem exists regardless of XBL's position at
the W3C. This is a long standing problem: <script>, link="script",
Link: script, IE's 'behaviour', Mozilla's '-moz-binding', event
handler attributes, data: URIs to script, javascript: URIs, script
embedded in embedded HTML and SVG, IE's expression(), etc.

There are dozens of ways of linking script, and currently there is no
standard way of indicating that a section should be considered unsafe
with no script executed.

XBL merely brings this problem to the table. The proverbial last
straw, as it were.

-- 
Ian Hickson                                      )\._.,--....,'``.    fL
"meow"                                          /,   _.. \   _\  ;`._ ,.
http://index.hixie.ch/                         `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 6 January 2003 12:20:17 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 27 April 2009 13:54:19 GMT