W3C home > Mailing lists > Public > www-international@w3.org > January to March 2014

Re: Feedback on http://www.w3.org/International/questions/qa-html-encoding-declarations-new

From: Gunnar Bittersmann <gunnar@bittersmann.de>
Date: Sat, 01 Mar 2014 23:15:53 +0100
Message-ID: <53125C19.5050508@bittersmann.de>
To: www-international@w3.org
Richard Ishida scripsit (2014-02-28 17:27+01:00):
> On 28/02/2014 15:03, Henri Sivonen wrote:
>> The section "The charset attribute on a link" fails to mention that if
>> browsers supported the attribute (without special additional rules),
>> it would be an XSS attack vector, which is a good reason not to
>> support it.
>
> Added.

The better place for the addition “One reason not to support this 
attribute is…” might be right after “…is not well supported by major 
browsers”:

There were always issues with the use of this attribute. Firstly, it is 
not well supported by major browsers. One reason not to support this 
attribute is that if browsers do so without special additional rules it 
would be an XSS attack vector.

Secondly, it is hard to ensure that the information is correct at any 
given time…

Gunnar
Received on Saturday, 1 March 2014 22:16:19 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 21 September 2016 22:37:36 UTC