On Sep 5, 2010, at 1:22 AM, Chris Lilley wrote:
> On Sunday, September 5, 2010, 4:00:20 AM, Adam wrote:
>
>>> body { binding: url(example.xbl#nav-then-main); }
>
> AB> Adding active content via CSS is bad for security. For example, IE
> AB> has removed support for CSS expressions (which execute script) and
> AB> Mozilla has removed support for XBL bindings, which, like this
> AB> proposal, would allow for script execution from CSS. Perhaps we
> AB> should consider a more secure mechanism for invoking the binding.
>
> In the light of that browser implementor feedback about the drawbacks of using CSS to add active content, maybe another method should be chosen. XPath for example might be useful here.
Adam's comments are about binding with a stylesheet, not Selectors. XBL2 provides binding mechanisms that do not involve a stylesheet at all. The last thing we need is to have the Selectors vs. XPath discussion again.
Regards,
Maciej