- From: Andrew Fedoniouk <news@terrainformatica.com>
- Date: Sat, 27 Oct 2007 14:10:32 -0700
- To: David Woolley <forums@david-woolley.me.uk>
- CC: "www-style@w3.org" <www-style@w3.org>
David Woolley wrote: > > Andrew Fedoniouk wrote: > >> Beg my pardon but why do you think that this line >> >> bind: url(javascript:MyBehavior); >> >> is less safe than say: >> >> bind: url(http://...MyBehavior.xul); -> MyBehavior.js >> >> > > Because, in the second case, it is relatively easy to selectively block > the executable content at the firewall. > > Also, although javascript: is not a genuine URI scheme, but rather a > Netscape proprietary features, data: is a genuine one, and would also > allow one to bypass the firewall. I'd therefore suggest that either > data: schemes be banned in this context, or that the specification > should advise implementors to disable them by default. Disabling them > by default still makes one vulnerable to people who think they know > better than the network managers. Sorry but I missed you again. So you say that for safety reasons you will disable xml to be passed through firewall? Speaking from security impression perspective I think that: bind: "script-reference-of-behavior-object"; is more safe (whatever it means) than bind: url(http://...behavior.xul); as the first one can be disabled by "Do not run any JS" settings. At least. -- Andrew Fedoniouk. http://terrainformatica.com
Received on Saturday, 27 October 2007 21:12:10 UTC