- From: David Woolley <forums@david-woolley.me.uk>
- Date: Sat, 27 Oct 2007 21:11:28 +0100
- To: "www-style@w3.org" <www-style@w3.org>
Andrew Fedoniouk wrote: > Beg my pardon but why do you think that this line > > bind: url(javascript:MyBehavior); > > is less safe than say: > > bind: url(http://...MyBehavior.xul); -> MyBehavior.js > > Because, in the second case, it is relatively easy to selectively block the executable content at the firewall. Also, although javascript: is not a genuine URI scheme, but rather a Netscape proprietary features, data: is a genuine one, and would also allow one to bypass the firewall. I'd therefore suggest that either data: schemes be banned in this context, or that the specification should advise implementors to disable them by default. Disabling them by default still makes one vulnerable to people who think they know better than the network managers. -- David Woolley Emails are not formal business letters, whatever businesses may want. RFC1855 says there should be an address here, but, in a world of spam, that is no longer good advice, as archive address hiding may not work.
Received on Saturday, 27 October 2007 20:11:59 UTC