On Sunday, September 5, 2010, 4:00:20 AM, Adam wrote:
>> body { binding: url(example.xbl#nav-then-main); }
AB> Adding active content via CSS is bad for security. For example, IE
AB> has removed support for CSS expressions (which execute script) and
AB> Mozilla has removed support for XBL bindings, which, like this
AB> proposal, would allow for script execution from CSS. Perhaps we
AB> should consider a more secure mechanism for invoking the binding.
In the light of that browser implementor feedback about the drawbacks of using
CSS to add active content, maybe another method should be chosen. XPath for
example might be useful here.
--
Chris Lilley Technical Director, Interaction Domain
W3C Graphics Activity Lead, Fonts Activity Lead
Co-Chair, W3C Hypertext CG
Member, CSS, WebFonts, SVG Working Groups
