- From: Jelks Cabaniss <jelks@jelks.nu>
- Date: Thu, 24 May 2001 02:03:52 -0400
- To: <www-html@w3.org>
Brian wrote: > > I think that security should be included in the DOM and > > HTML, and it should address especially: cross-domain > > access of elements in IFrames, among other things. > [DJW:] Noting that all forms of frames are discouraged by > HTML 4.0 and XHTML 1.0 and are not allowed at all by ISO HTML > and XHTML 1.1, Iframe, in particular, is a form of link, and > the W3C philosophy appears to be to encourage the web, > which means, essentially, to encourage the use of off site > links. > The security is, for instance, to stop a site from being able > to get your banks statement from inside a frame. Also, HTML > and the DOM are so linked that you can't talk about a > security model without it pertaining to HTML and the DOM. A browser vendor will certainly have to worry about security issues, but someone authoring in HTML shouldn't have to -- all they're doing is marking up text. Remember the scope of HTML -- a *markup* language, for marking up *documents*; security, SSL, etc., fall outside this scope (that's one reason why frames were so problematical in the first place: they tried to bring windowing technology -- and correlary security issues -- into document markup). DOM is also a separate thing: it can be useful to access and manipulate HTML content, but HTML is certainly not dependent on any DOM. (... This despite the onwhatever() event handlers in HTML 4.x which a number of people feel were superfluous, since it could be done in script *if* -- and only if -- a user wanted to take advantage of them. Note that Lynx and other browsers with Javascript disabled don't give a hoot about any damn DOM :). /Jelks
Received on Thursday, 24 May 2001 02:04:13 UTC