Re: Feedback on http://www.w3.org/International/questions/qa-html-encoding-declarations-new from Gunnar Bittersmann on 2014-03-01 (www-international@w3.org from January to March 2014)

From: Gunnar Bittersmann <gunnar@bittersmann.de>
Date: Sat, 01 Mar 2014 23:15:53 +0100
To: www-international@w3.org
Message-ID: <53125C19.5050508@bittersmann.de>

Richard Ishida scripsit (2014-02-28 17:27+01:00):
> On 28/02/2014 15:03, Henri Sivonen wrote:
>> The section "The charset attribute on a link" fails to mention that if
>> browsers supported the attribute (without special additional rules),
>> it would be an XSS attack vector, which is a good reason not to
>> support it.
>
> Added.

The better place for the addition “One reason not to support this 
attribute is…” might be right after “…is not well supported by major 
browsers”:

There were always issues with the use of this attribute. Firstly, it is 
not well supported by major browsers. One reason not to support this 
attribute is that if browsers do so without special additional rules it 
would be an XSS attack vector.

Secondly, it is hard to ensure that the information is correct at any 
given time…

Gunnar

Received on Saturday, 1 March 2014 22:16:19 UTC