W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2012

[whatwg] should we add beforeload/afterload events to the web platform?

From: Ian Hickson <ian@hixie.ch>
Date: Sat, 4 Feb 2012 04:15:40 +0000 (UTC)
Message-ID: <Pine.LNX.4.64.1202040408170.13116@ps20323.dreamhostps.com>
On Fri, 3 Feb 2012, Boris Zbarsky wrote:
> On 2/3/12 10:53 PM, Ian Hickson wrote:
> > Surely for the style sheets there's far less of a difficulty in 
> > getting things right? I don't really understand what vulnerability 
> > would be relevant here such that you'd need per-stylesheet control 
> > over what was being imported.
> 
> Hmm.  I sort of assume that if you can control the styles you can really 
> mess with the page, and probably get the user to do things the user 
> doesn't really want to do.  But maybe this is me overworrying?

No, I agree with you that if the author is using HTTP styles on their 
HTTPS page that an attacker could screw with the page. But my point is 
that fixing that is easy: just move the styles to HTTPS. In the case of 
scripts it's not that easy because the scripts might be on third-party 
servers, in complicated setups, etc. So one could see a situation in which 
one might want (during a still-insecure transitions period) control over 
the scripts on an individual basis, so that scripts that are known to no 
longer be needed can be excluded even if they are still referenced 
somewhere.

Adam might be able to comment more specifically on concrete examples of 
thing kind of thing though in case I am missing some key point!

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 3 February 2012 20:15:40 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:11 UTC