On Jul 16, 2009, at 9:48 AM, darrel karisch wrote:
> I've produced a proposal for a CSS Scripting Layout specification. > I've extended Chrome as a sample implementation. Embedding arbitrary JavaScript expressions inside CSS turns out to be pretty dangerous from a security standpoint. MSIE has long had a simple facility for this (nothing as fancy as what you're proposing) and it's been a significant vector for XSS attacks. (It's made more dangerous by its subtlety — many web developers are totally unaware that CSS scripts could contain executable code.) In response, most sites that host user-created content have had to block the ability for users to link to external stylesheets, which restricts the ability to do things like custom themes. I'm not a security expert, but my feeling is that it would be a really bad idea to introduce another feature with the same properties, especially to browsers that haven't yet suffered from this particular type of vulnerability. —Jens --~--~---------~--~----~------------~-------~--~----~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~----------~----~----~----~------~----~------~--~---