- From: Henry S. Thompson <ht@inf.ed.ac.uk>
- Date: Sun, 06 Dec 2009 13:09:09 +0000
- To: Tim Berners-Lee <timbl@w3.org>
- Cc: Jonathan Rees <jar@creativecommons.org>, David Booth <david@dbooth.org>, www-tag@w3.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tim Berners-Lee writes: > In signup.html: > > By pressing on this button you are agree to our > <a href="terms.txt">terms and conditions</a>. > > In terms.txt: > ( a la http://www.w3.org/2009/12/terms.txt) > > <html> > <body> > <p>You will not upload pornography. > </p> > <!-- > Further, you agree to convey to us your first born son if the sun > rises in the east > during the term of your association with the company. > > ... 265 pages of small print > ... > ... So, what's interesting about this to me is that a) Adam Barth's current mime-sniff draft [1] rules it out (because text/plain to text/html is classified as privilege escalation, because text/html is 'scriptable'); b) The _reason_ it is ruled out has nothing to do with the problem you are pointing to! That is, supposing there were a media type text/staticHTML, which meant, effectively, interpret as HTML with noscript applying throughout. Barth would not classify text/plain -> text/staticHTML as privilege escalation, so it would be allowed, and _then_ the problem your example illustrates would come into play . . . ht [1] http://www.ietf.org/id/draft-abarth-mime-sniff-03.txt - -- Henry S. Thompson, School of Informatics, University of Edinburgh Half-time member of W3C Team 10 Crichton Street, Edinburgh EH8 9AB, SCOTLAND -- (44) 131 650-4440 Fax: (44) 131 651-1426, e-mail: ht@inf.ed.ac.uk URL: http://www.ltg.ed.ac.uk/~ht/ [mail really from me _always_ has this .sig -- mail without it is forged spam] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFLG6z1kjnJixAXWBoRAgyxAJ4vfA4QGYJPJeIsJf4yHrZyo0gmOwCfVYss cDEM5/HILG5ZLJZEAWc/ru8= =qoDi -----END PGP SIGNATURE-----
Received on Sunday, 6 December 2009 13:10:10 UTC