- From: David Woolley <forums@david-woolley.me.uk>
- Date: Fri, 26 Oct 2007 07:46:50 +0100
- To: "www-style@w3.org" <www-style@w3.org>
Andrew Fedoniouk wrote:
>
>
> Ian Hickson wrote:
>> On Thu, 25 Oct 2007, Daniel Glazman wrote:
>>
>>> BTW, this raises an interesting question. Suppose we have
>>>
>>> binding: url(a) url(b);
>>>
>>> and resource a is unparsable. What's the computed value of 'binding' ?
>>>
>>
>> The computed value is, as far as I can tell, fully defined in the
>> draft and does not depend on the resource itself (it can be computed
>> without hitting the network).
>>
>> Let me know if you believe there is a hole in the spec that I have
>> missed, so I can fix it.
>>
>> Cheers,
>>
> Probably it is out of topic but I'll try....
>
> Will it be possible to specify something like this in CSS:
>
> #some-id
> {
> bind: url(javascript:MyBehavior);
I very much hope not, as one of the advantages of CSS is that it does
not have the power of a general programming language and is therefore
much less likely to provide access to security holes, and, at least in
principle, easier to analyze mechanically.
Incidentally, I wasn't aware that the javascript: scheme had been
officially approved. It's a major cause of javascript only pages, when
people use it in href rather than onclick. It also causes much
confusion, with the result that there are huge numbers of javascript
program fragments which start with the label javascript: which is never
the target of any goto.
--
David Woolley
Emails are not formal business letters, whatever businesses may want.
RFC1855 says there should be an address here, but, in a world of spam,
that is no longer good advice, as archive address hiding may not work.
Received on Friday, 26 October 2007 06:47:07 UTC