On Jul 16, 2009, at 9:48 AM, darrel karisch wrote:
> I've produced a proposal for a CSS Scripting Layout specification.
> I've extended Chrome as a sample implementation.
Embedding arbitrary JavaScript expressions inside CSS turns out to be
pretty dangerous from a security standpoint. MSIE has long had a
simple facility for this (nothing as fancy as what you're proposing)
and it's been a significant vector for XSS attacks. (It's made more
dangerous by its subtlety — many web developers are totally unaware
that CSS scripts could contain executable code.) In response, most
sites that host user-created content have had to block the ability for
users to link to external stylesheets, which restricts the ability to
do things like custom themes.
I'm not a security expert, but my feeling is that it would be a really
bad idea to introduce another feature with the same properties,
especially to browsers that haven't yet suffered from this particular
type of vulnerability.
—Jens
--~--~---------~--~----~------------~-------~--~----~
Chromium Developers mailing list: chromium-dev@googlegroups.com
View archives, change email options, or unsubscribe:
http://groups.google.com/group/chromium-dev
-~----------~----~----~----~------~----~------~--~---
