W3C home > Mailing lists > Public > www-style@w3.org > January 2003

Re: Another view (sorry) on XBL and behaviours

From: C.Bottelier <c.bottelier@ITsec.nl>
Date: Tue, 07 Jan 2003 09:15:27 +0100
Message-ID: <3E1A8C9F.6D53C809@ITsec.nl>
To: Ian Hickson <ian@hixie.ch>
CC: Andrew Clover <and@doxdesk.com>, "www-style@w3.org" <www-style@w3.org>, Bert Bos <Bert.Bos@sophia.inria.fr>

Ian Hickson wrote:
> > From a security point of view, allowing links to active content in styles is
> > dangerous. Stylesheets are expected by many to be free of active content,
> > and are allowed in places such as user-submitted content, HTML e-mail etc.
> 
> This is a very valid concern, and is very much of interest to me.
> 
> There are several possible solutions.
> 
> One is to suggest to the XML team that a new attribute be introduced,
> xml:scripting or some such, which could indicate that everything from that
> element and deeper should be unable to execute associated script.

<snip />

> Another possible solution is to introduce some way of overriding style at
> a higher level, so that embedding content could force 'binding' to 'none'
> on the element and all its children.

<snip />
 
> I don't see XBL as introducing a larger security hole -- in fact I see its
> standardisation as bringing to the table a problem which has been ignored
> for too long.

That there is a standardized way to to change the behaviour of the
widgets
is a great thing, one of the side effects is that it introduces yet
another
security hole. However there is a slight difference between (most)
existing
ones and this new XBL hole.

(Most) previous standards (some more or less) provide a much clearer way
how to patch it (like disable ... script) With XBL the choice is to
disable XBL entirely, or only its scripting capability. The latter would
be
preferred, but due the way XBL is intended (or to be used) this could
pose
risk. This risk being the changed behaviour to rely on the scripting,
or in put other words if the scripting behaviour is disabled the changed
behaviour of a widget would be unclear or dysfunctional to the users
point of
view.

It would / could be the task of the W3C to not make only the XBL
recommendation, but also define how, where, and what should be disabled
of the functionality of XBL by the UA. This to prevent non functional
XBL when security is set to a strict model in the UA.

Secondly it should be noted (or at least I feel it has to be) that using
CSS
selectors (and/or XPath selectors) is a great way to bind the XBL. This
for
(at least) to reasons; the selectors are more than adequate to bind the
XBL,
authors are more or less already familiar to the syntax and workings.
But this does _NOT_ require the also use CSS to bind the XBL. This could
be done in a separate linked document with its own mime type. But this
is
not required. But if the XBL bindings are from within CSS disabling CSS
does disable XBL. The way to prevent this is to disable CSS using a
cascaded
style sheet marking _EVERYTHING_ !important. but is this desirable?

Christian
Received on Tuesday, 7 January 2003 03:15:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 27 April 2009 13:54:19 GMT