- From: David Woolley <forums@david-woolley.me.uk>
- Date: Sat, 27 Oct 2007 21:03:23 +0100
- To: "www-style@w3.org" <www-style@w3.org>
fantasai wrote: > David Woolley wrote: > > The BECSS draft already crosses this line by importing scripts through > the 'binding' property. I haven't seen any serious discussion in the WG > about the security implications of this. Yes. On a quick scan of it yesterday, that worried me. I thought the position was that behaviours might use CSS selectors, but they would be segregated from CSS. Could I suggest that bind be explicitly forbidden in style attributes, and user agents required to ignore it there. Otherwise you are changing the rules under which content management/BBS systems make third party content safe and you will increase the pressure for methods of marking sections of web pages as unsafe, as recently proposed on www-html. It is not a good idea to invalidate the presumption that CSS is relatively benign. -- David Woolley Emails are not formal business letters, whatever businesses may want. RFC1855 says there should be an address here, but, in a world of spam, that is no longer good advice, as archive address hiding may not work.
Received on Saturday, 27 October 2007 20:03:42 UTC