W3C home > Mailing lists > Public > www-style@w3.org > October 2007

Re: [becss] "Behavioral Extensions to CSS" computed value question

From: Andrew Fedoniouk <news@terrainformatica.com>
Date: Fri, 26 Oct 2007 09:35:15 -0700
Message-ID: <47221743.1040204@terrainformatica.com>
To: David Woolley <forums@david-woolley.me.uk>
CC: "www-style@w3.org" <www-style@w3.org>

David Woolley wrote:
> 
> Andrew Fedoniouk wrote:
>>
>>
>> Ian Hickson wrote:
>>> On Thu, 25 Oct 2007, Daniel Glazman wrote:
>>>  
>>>> BTW, this raises an interesting question. Suppose we have
>>>>
>>>>   binding: url(a) url(b);
>>>>
>>>> and resource a is unparsable. What's the computed value of 'binding' ?
>>>>     
>>>
>>> The computed value is, as far as I can tell, fully defined in the 
>>> draft and does not depend on the resource itself (it can be computed 
>>> without hitting the network).
>>>
>>> Let me know if you believe there is a hole in the spec that I have 
>>> missed, so I can fix it.
>>>
>>> Cheers,
>>>   
>> Probably it is out of topic but I'll try....
>>
>> Will it be possible to specify something like this in CSS:
>>
>> #some-id
>> {
>>    bind: url(javascript:MyBehavior);
> 
> I very much hope not, as one of the advantages of CSS is that it does 
> not have the power of a general programming language and is therefore 
> much less likely to provide access to security holes, and, at least in 
> principle, easier to analyze mechanically.

Beg my pardon but why do you think that this line

   bind: url(javascript:MyBehavior);

is less safe than say:

   bind: url(http://...MyBehavior.xul); -> MyBehavior.js

?

CSS per se is not executing this line.
It is JS statement and so is a business of existing JS environment to 
execute it. I mean that solution does not introduce any new security 
holes in principle.



> 
> Incidentally, I wasn't aware that the javascript: scheme had been 
> officially approved.  It's a major cause of javascript only pages, when 
> people use it in href rather than onclick.  It also causes much 
> confusion, with the result that there are huge numbers of javascript 
> program fragments which start with the label javascript: which is never 
> the target of any goto.
> 

I too who prefer 'bind' to accept just strings (not urls) but

   bind: url(...);

may help to bring peace here. As it is more universal then it can be 
used for different kind of bindings - e.g. for htc or xul.

The only thing I am asking is that all implementation shall include
some form of 'local' binding mechanism:

   bind: url(javascript:MyBehavior);
or just:
   bind: "MyBehavior";

This will allow to bind DOM elements with functions
defined in script.


-- 
Andrew Fedoniouk.

http://terrainformatica.com
Received on Friday, 26 October 2007 16:36:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 27 April 2009 13:54:55 GMT