Re: XSLT style sheets

Brandon Sterne wrote:
> Adam Barth wrote:
> > I'd lump them in with script-src. The problem is that they're
> > somewhat obscure and authors aren't going to understand the security
> > implications. If you and I didn't get it right the first time, what
> > chance do author's have?
> Okay, this sounds fine. Giorio seems to agree. I'll wait to see if
> there are objections, otherwise I'll make this change. It is troubling
> that some of these technologies are so poorly understood, even by us
> "experts".

+1. Yesterday, Brandon and I discussed an extension to the object-src syntax to allow it to be refined by mime type:

     object-src [application/x-shockwave-flash]

script-src could be done the same way:

     script-src [application/application/xslt+xml]

- Brian

Received on Tuesday, 14 June 2011 19:24:47 UTC