- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 14 Aug 2008 20:33:25 +0000 (UTC)
- To: Boris Zbarsky <bzbarsky@MIT.EDU>
- Cc: public-html <public-html@w3.org>
On Wed, 13 Aug 2008, Boris Zbarsky wrote: > > > > I don't understand the security risk. Could you elaborate on what the > > threat is? > > The obvious threat is that someone writes (or wrote awhile back) > something, tests (or tested) in their browser, it doesn't render as HTML > (or didn't back when they tested), then we render it as HTML. > > Obvious examples that come up are image types in IE, or a whole slew of > stuff in Netscape 4 (think old site that no one has bothered to update, > and yes such things still exist: we get people complaining that they > can't document.open('application/postscript') in current Gecko). Fair enough. The risk of implementing this as Firefox does, of course, is lack of compatibility with pages that are expecting HTML handling. To gain some level of compatibility we have to, at a minimum, strip leading and trailing space characters, and ignore any content after the first semicolon. Now the question is, are other browser vendors willing to change to this? I've changed the spec for now, but I would really appreciate confirmation from WebKit, Opera, and IE representatives that this change is one that the majority of browser vendors are willing to implement. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 14 August 2008 20:33:59 UTC