W3C home > Mailing lists > Public > www-style@w3.org > October 2007

Re: [becss] "Behavioral Extensions to CSS" computed value question

From: David Woolley <forums@david-woolley.me.uk>
Date: Fri, 26 Oct 2007 07:46:50 +0100
Message-ID: <47218D5A.30703@david-woolley.me.uk>
To: "www-style@w3.org" <www-style@w3.org>

Andrew Fedoniouk wrote:
> Ian Hickson wrote:
>> On Thu, 25 Oct 2007, Daniel Glazman wrote:
>>> BTW, this raises an interesting question. Suppose we have
>>>   binding: url(a) url(b);
>>> and resource a is unparsable. What's the computed value of 'binding' ?
>> The computed value is, as far as I can tell, fully defined in the 
>> draft and does not depend on the resource itself (it can be computed 
>> without hitting the network).
>> Let me know if you believe there is a hole in the spec that I have 
>> missed, so I can fix it.
>> Cheers,
> Probably it is out of topic but I'll try....
> Will it be possible to specify something like this in CSS:
> #some-id
> {
>    bind: url(javascript:MyBehavior);

I very much hope not, as one of the advantages of CSS is that it does 
not have the power of a general programming language and is therefore 
much less likely to provide access to security holes, and, at least in 
principle, easier to analyze mechanically.

Incidentally, I wasn't aware that the javascript: scheme had been 
officially approved.  It's a major cause of javascript only pages, when 
people use it in href rather than onclick.  It also causes much 
confusion, with the result that there are huge numbers of javascript 
program fragments which start with the label javascript: which is never 
the target of any goto.

David Woolley
Emails are not formal business letters, whatever businesses may want.
RFC1855 says there should be an address here, but, in a world of spam,
that is no longer good advice, as archive address hiding may not work.
Received on Friday, 26 October 2007 06:47:07 UTC

This archive was generated by hypermail 2.3.1 : Monday, 2 May 2016 14:27:31 UTC