SitG Admin <sysad...@...> writes: > >Maybe the spec should carry an informative note to implementors to point out > >that the HEAD element does not necessarily have any textual representation in > >the HTML source? > > > >Comments? > > See the general archives for a thread between the 9th and 10th of > this month about outsourcing headers: restricting the scan for OpenID
I didn't see it on gmane, the "general" list there seems to be another one. But I've read it now. > headers to this "HEAD" area (*before* the "BODY" starts") is actually > *desirable* behavior, since it would prevent Identity theft from Of course, but the HEAD element is well-defined even without HEAD tags. > injecting HTML in embedded comments, guestbooks, basically anything > that is dynamically generated server-side rather than linked to > within the page (like CSS). And those things are all outside the HEAD element. The implementation might become a bit harder, because you cannot just grep for "<HEAD>" (assumed that you don't use a real parser library but parse it ad-hoc), but I don't see any real difference between tagged and tagless HEAD elements security-wise. Thomas _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
