hi! I understood only members/invited.experts had a real vote in it.. anyway wrt autofocus it enables xss vectors without user interaction (Mario Heiderich/Gareth Heyes). On Dec 6, 2009 4:27 PM, "Maciej Stachowiak" <mjs@apple.com> wrote: On Dec 6, 2009, at 12:16 AM, sird@rckc.at wrote: > Hi! > > Yeah.. seamless iframes just enhance th... I see. > I tried to persued giorgio maone to lock this selectors on NoScript, but that had a performance ... The team that reviews W3C specs consists of anyone who wants to review. And you can probably convince implementors not to implement things that are insecure by explaining how they are insecure. You have to keep in mind though that implementors will trade off potential attack surface against usefulness - so anything that's not a blatant exploit probably my still get implemented if it's really useful. Otherwise we would never add anything to the Web platform. BTW attributes on closing tags are ignored (they are processed solely to allow the right parse errors to be emitted), and autofocus emulates something that you can do with script and which many sites already do, so it's not clear to me how either creates any vulnerabilities. Regards, Maciej
Received on Sunday, 6 December 2009 09:23:14 UTC