- From: David Woolley <forums@david-woolley.me.uk>
- Date: Sat, 27 Oct 2007 23:01:16 +0100
- To: "www-style@w3.org" <www-style@w3.org>
Andrew Fedoniouk wrote: > > > as the first one can be disabled by "Do not run any JS" settings. At least. > > You'd have to do it as a group policy, rather than locally on the browser. However, it is true that scripting in the HTML is more difficult to block at the firewall, although I'm sure there are firewalls that attempt to do it (in practice, you would need to strip it at the firewall, rather than blocking the whole page, as too many sites use scripting). I still don't like the idea of adding additional routes to sneak in scripting. From my point of view, I would rather not have any scripting from untrusted sources, but unfortunately live in a world where many sites are broken without it (most of these only use it for cosmetic purposes). There does seem to be a real problem that the sanctity of CSS has been breached, so any BBS ought to strip out all style attributes from third party content as well as more explicit scripting (they could strip more selectively, but my impression is they tend to use crude parsers, which are probably stretched to find all complete attributes, and, in any case would have to adopt a positive acceptance policy, which would reject innocuous new properties). Blocking scripting doesn't help there because the BBS is likely to rely on scripting for the document matrix. That it has already been breached by vendors isn't a good reason for making breaches part of the official standards. -- David Woolley Emails are not formal business letters, whatever businesses may want. RFC1855 says there should be an address here, but, in a world of spam, that is no longer good advice, as archive address hiding may not work.
Received on Saturday, 27 October 2007 22:01:36 UTC