W3C home > Mailing lists > Public > www-style@w3.org > October 2007

Re: [becss] "Behavioral Extensions to CSS" computed value question

From: David Woolley <forums@david-woolley.me.uk>
Date: Sat, 27 Oct 2007 21:11:28 +0100
Message-ID: <47239B70.9070902@david-woolley.me.uk>
To: "www-style@w3.org" <www-style@w3.org>

Andrew Fedoniouk wrote:

> Beg my pardon but why do you think that this line
> 
>   bind: url(javascript:MyBehavior);
> 
> is less safe than say:
> 
>   bind: url(http://...MyBehavior.xul); -> MyBehavior.js
> 
>

Because, in the second case, it is relatively easy to selectively block 
the executable content at the firewall.

Also, although javascript: is not a genuine URI scheme, but rather a 
Netscape proprietary features, data: is a genuine one, and would also 
allow one to bypass the firewall.  I'd therefore suggest that either 
data: schemes be banned in this context, or that the specification 
should advise implementors to disable them by default.  Disabling them 
by default still makes one vulnerable to people who think they know 
better than the network managers.
-- 
David Woolley
Emails are not formal business letters, whatever businesses may want.
RFC1855 says there should be an address here, but, in a world of spam,
that is no longer good advice, as archive address hiding may not work.
Received on Saturday, 27 October 2007 20:11:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 27 April 2009 13:54:55 GMT