- From: Lincoln Yeoh <lyeoh@pop.jaring.my>
- Date: Tue, 25 Sep 2007 01:31:46 +0800
- To: www-html@w3.org
- Cc: David Woolley <forums@david-woolley.me.uk>, fernando@beford.org, security@google.com
At 02:55 AM 8/10/2007, Lincoln Yeoh wrote: >Hi, > >I think it's way overdue to have a security oriented tag to disable >unwanted features. I proposed something like this here 5 years ago >(2002) [1], and I'm back here to propose it again. > >Recap on why such tags are needed: > >Say you run a site (webmail, myspace (remember the worm?), bbs etc) >that is displaying content from 3rd parties (spammers, attackers) to >unknown browsers (with different parsing bugs/behaviour). After a month and a half, add gmail and friends, see: http://blog.beford.org/?p=3 I suggest the problem would be smaller, if we had started to fix things 5 years ago, after all: >With such tags you can give hints to the browsers to disable >unwanted stuff between the tags, so that even if your site's >filtering is insufficient (doesn't account for a problem in a new >tag, or the browser interprets things differently/incorrectly), a >browser that supports the tag will know that stuff is disabled, and >thus the exploit fails. We've got stuff like "ping", "time" attributes in HTML5. So what does it take to get a "tag/element to disable unwanted features"[2]? :) Link. [1] http://lists.w3.org/Archives/Public/www-html/2002May/0021.html [2] http://www.mail-archive.com/mozilla-security@mozilla.org/msg01448.html http://lists.w3.org/Archives/Public/www-html/2007Aug/0008.html
Received on Monday, 24 September 2007 17:36:25 UTC