- From: Ian Graham <igraham@smaug.java.utoronto.ca>
- Date: Tue, 8 Aug 2000 11:50:13 -0400
- To: Matthew Brealey <webmaster@richinstyle.com>
- cc: www-style@w3.org
On Tue, 8 Aug 2000, Matthew Brealey wrote: > Simon St.Laurent wrote: > > > > ActiveX controls let you format your hard drive from any script - this > > isn't a hazard peculiar to including scripts in CSS. > > For me, that isn't so much the point as the fact that scripts that kill > your PC have no place in *style* sheets, since style sheets are about > formatting whereas trashing PCs most definitely is not. > Generally I never agree with Mathew ( ;-) ) but in this case I do wholeheartedly. CSS was never intended to be more than a declarative language for layout and formatting, and it certainly makes little sense at this point to break with that model by introducing programmability in ad hoc ways. However, what's done (HTC, etc.) is done. Whether this was the best way is more or less irrelevant now, since it's a done deed. Independent of this, however, is the fact that application design requires scripts that can interact with CSS properties and with XML (or HTML) data structures, and that can bind functionality to code resident on the browser. Whether this is done via SCRIPT elements from HTML, some other mechanism from XML, or behavior: from CSS really doesn't matter -- the result is the same sort of security problem. So the real problem, as I see it, is developing a security model that can handle security issues indepenent of how a downloaded script is invoked. Ian
Received on Tuesday, 8 August 2000 11:50:20 UTC