- From: Kristof Zelechovski <giecrilj@stegny.2a.pl>
- Date: Thu, 7 Jun 2007 11:17:24 +0200
The primary purpose of HTML is presentation, not scripting. You can have a user agent that does not support scripting at all, or that does not support scripting in your script of choice, but other elements of your presentation should be rendered, whatever that means, and make sense without scripting. I cannot agree with sticking the tag "Future of HTML" onto scripting security research. Everything is executable in JavaScript, e.g. the expression "0" returns 0 when you execute it, therefore not executable means inaccessible. The duality of data and code is a characteristic of high level languages and it is generally considered a good thing because it makes reflection possible. I admit that reflection is not widely used in JavaScript, and most of such cases actually are a misuse; nevertheless, IMHO, removing the data-code duality would be a big step backwards. Which, needless to say, could be welcome to an industry, like Tinselton, that prefers prosecuting and restricting to protecting and innovating; the WWW industry hopefully does not belong to this genre. The execution protection flag makes sense in machine code where the duality cannot be readily seen, especially in compiled code where the compiler has moved and transformed much of the original code to better match the target architecture, which is beneficial both to the programmer and to the end user; however, even in such an environment it is used sparingly and often limited to core system services because it is incompatible with trampolines and closures, at least the way they are implemented by most compilers. It cannot be viewed as the universal remedy and it should not be applied to interactive elements. The suggestion that JavaScript code should be rendered is ridiculous; it reminds me of MacWeb, R.I.P. But, as an afterthought, perhaps it could enforce a better coding style to Web developers? Sort of "Do not execute it because it is unpretty?" Just kidding. And if you disable inline script code, the authors will be forced to use the data URL scheme instead, which is cumbersome and buys you almost nothing, except that you can use the token -- in the script. Is that what you want? The DOM tree does not contain any code, so separating DOM code elements and attributes is void. Please explain what you really want and give us an example scenario of how it would work and how it would help, along the line "This document could be used to steal your credit card number because.; my idea would prevent it because. while everything else will work as expected because.". Cheers, Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20070607/e118a7ff/attachment.htm>
Received on Thursday, 7 June 2007 02:17:24 UTC