W3C home > Mailing lists > Public > www-style@w3.org > October 2007

Re: [becss] "Behavioral Extensions to CSS" computed value question

From: David Woolley <forums@david-woolley.me.uk>
Date: Sat, 27 Oct 2007 21:03:23 +0100
Message-ID: <4723998B.8020000@david-woolley.me.uk>
To: "www-style@w3.org" <www-style@w3.org>

fantasai wrote:
> David Woolley wrote:

> The BECSS draft already crosses this line by importing scripts through
> the 'binding' property. I haven't seen any serious discussion in the WG
> about the security implications of this.

Yes.  On a quick scan of it yesterday, that worried me.  I thought the 
position was that behaviours might use CSS selectors, but they would be 
segregated from CSS.

Could I suggest that bind be explicitly forbidden in style attributes, 
and user agents required to ignore it there.  Otherwise you are changing 
the rules under which content management/BBS systems make third party 
content safe and you will increase the pressure for methods of marking 
sections of web pages as unsafe, as recently proposed on www-html.

It is not a good idea to invalidate the presumption that CSS is 
relatively benign.

David Woolley
Emails are not formal business letters, whatever businesses may want.
RFC1855 says there should be an address here, but, in a world of spam,
that is no longer good advice, as archive address hiding may not work.
Received on Saturday, 27 October 2007 20:03:42 UTC

This archive was generated by hypermail 2.3.1 : Monday, 2 May 2016 14:27:31 UTC