W3C home > Mailing lists > Public > www-style@w3.org > October 2007

Re: [becss] "Behavioral Extensions to CSS" computed value question

From: David Woolley <forums@david-woolley.me.uk>
Date: Sat, 27 Oct 2007 21:03:23 +0100
Message-ID: <4723998B.8020000@david-woolley.me.uk>
To: "www-style@w3.org" <www-style@w3.org>

fantasai wrote:
> David Woolley wrote:

> 
> The BECSS draft already crosses this line by importing scripts through
> the 'binding' property. I haven't seen any serious discussion in the WG
> about the security implications of this.

Yes.  On a quick scan of it yesterday, that worried me.  I thought the 
position was that behaviours might use CSS selectors, but they would be 
segregated from CSS.

Could I suggest that bind be explicitly forbidden in style attributes, 
and user agents required to ignore it there.  Otherwise you are changing 
the rules under which content management/BBS systems make third party 
content safe and you will increase the pressure for methods of marking 
sections of web pages as unsafe, as recently proposed on www-html.

It is not a good idea to invalidate the presumption that CSS is 
relatively benign.



-- 
David Woolley
Emails are not formal business letters, whatever businesses may want.
RFC1855 says there should be an address here, but, in a world of spam,
that is no longer good advice, as archive address hiding may not work.
Received on Saturday, 27 October 2007 20:03:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 27 April 2009 13:54:55 GMT