W3C home > Mailing lists > Public > www-style@w3.org > October 2007

Re: [becss] "Behavioral Extensions to CSS" computed value question

From: Andrew Fedoniouk <news@terrainformatica.com>
Date: Sat, 27 Oct 2007 14:10:32 -0700
Message-ID: <4723A948.304@terrainformatica.com>
To: David Woolley <forums@david-woolley.me.uk>
CC: "www-style@w3.org" <www-style@w3.org>

David Woolley wrote:
> 
> Andrew Fedoniouk wrote:
> 
>> Beg my pardon but why do you think that this line
>>
>>   bind: url(javascript:MyBehavior);
>>
>> is less safe than say:
>>
>>   bind: url(http://...MyBehavior.xul); -> MyBehavior.js
>>
>>
> 
> Because, in the second case, it is relatively easy to selectively block 
> the executable content at the firewall.
> 
> Also, although javascript: is not a genuine URI scheme, but rather a 
> Netscape proprietary features, data: is a genuine one, and would also 
> allow one to bypass the firewall.  I'd therefore suggest that either 
> data: schemes be banned in this context, or that the specification 
> should advise implementors to disable them by default.  Disabling them 
> by default still makes one vulnerable to people who think they know 
> better than the network managers.

Sorry but I missed you again.

So you say that for safety reasons you will disable xml to be passed 
through firewall?

Speaking from security impression perspective I think that:

   bind: "script-reference-of-behavior-object";

is more safe (whatever it means) than

   bind: url(http://...behavior.xul);

as the first one can be disabled by "Do not run any JS" settings. At least.


-- 
Andrew Fedoniouk.

http://terrainformatica.com
Received on Saturday, 27 October 2007 21:12:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 27 April 2009 13:54:55 GMT