- From: <sird@rckc.at>
- Date: Tue, 8 Dec 2009 17:07:14 +0800
- To: Daniel Glazman <daniel@glazman.org>
- Cc: Thomas Roessler <tlr@w3.org>, public-web-security@w3.org
- Message-ID: <8ba534860912080107q6be34a26wa3b0ee8ae8166536@mail.gmail.com>
Yeah, 11 years ago I was on elementary school.. sorry for not finding it back then.. -- Eduardo http://www.sirdarckcat.net/ Sent from Hangzhou, 33, China On Tue, Dec 8, 2009 at 5:04 PM, Daniel Glazman <daniel@glazman.org> wrote: > Thomas Roessler wrote: > > Part of the community has been asking questions about the ever >> growing expressive power of CSS (and its impact on Web security) >> for a while now. I strongly suggest taking that part of the >> community seriously now, instead of facing problems later. >> > > First the CSS WG members easily accept the fact they're not > security experts. So we clearly rely on YOU guys. > Second, :visited is more than 13 years old. Attribute selectors are 11 > years old. Both have been implemented and shipped by mainstream > browsers for ages. > > And it's the CSS WG that takes problems late? Come on, give me > a break. We make our specs just like any other WG. We call for > comments and are all ears. But telling us that a 11 years old > feature implemented in mozilla since march 2001 (I know the date > because _I_ did it) is dangerous and should be removed because too > powerful on the basis it can be injected seems to me insane. The problem > here is injection or cross-site references, not CSS itself. If the idea > is to make cross-linking of stylesheets impossible, I will strongly > fight that proposal because of its major impact on web-based > applications. > > gaz Heyes said it clearly, I quote: "The scenario is a web site allows > user to place a external stylesheet". External and uncontrolled > resources are dangerous, we all agree on that. > > </Daniel> > > >
Received on Tuesday, 8 December 2009 09:08:11 UTC