- From: Chris Lilley <chris@w3.org>
- Date: Sun, 5 Sep 2010 10:22:24 +0200
- To: Adam Barth <w3c@adambarth.com>
- CC: Ian Hickson <ian@hixie.ch>, public-webapps@w3.org, hyatt@apple.com
On Sunday, September 5, 2010, 4:00:20 AM, Adam wrote:
>> body { binding: url(example.xbl#nav-then-main); }
AB> Adding active content via CSS is bad for security. For example, IE
AB> has removed support for CSS expressions (which execute script) and
AB> Mozilla has removed support for XBL bindings, which, like this
AB> proposal, would allow for script execution from CSS. Perhaps we
AB> should consider a more secure mechanism for invoking the binding.
In the light of that browser implementor feedback about the drawbacks of using CSS to add active content, maybe another method should be chosen. XPath for example might be useful here.
--
Chris Lilley Technical Director, Interaction Domain
W3C Graphics Activity Lead, Fonts Activity Lead
Co-Chair, W3C Hypertext CG
Member, CSS, WebFonts, SVG Working Groups
Received on Sunday, 5 September 2010 08:22:39 UTC