- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Wed, 19 Sep 2012 22:39:18 -0400
- To: Adam Barth <w3c@adambarth.com>
- CC: public-webappsec@w3.org
On 9/19/12 9:21 PM, Adam Barth wrote: > I should say that I don't really have a strong opinion here. If > there's another semantics that you prefer strongly, I'm certainly open > to that. > > For authors, we should strive for the conceptually clearest semantics. > The concept I was going for was "don't use the style element or > attribute." Maybe it's clearer to include the CSSOM as well? There > isn't really a security benefit to blocking the CSSOM, so it seemed > simpler to allow it. Is there security benefit to blocking the style attribute? Or is the real security benefit to blocking the style element and the attribute just came along for semantic clarity? From my point of view, for what it's worth, the semantics that make sense are "do not apply inline styles or styles from <style> elements". The former would cover inline styles no matter how you set them, basically. -Boris
Received on Thursday, 20 September 2012 02:39:48 UTC