On Mon, 02 Jun 2014 11:32:45 +0200, Anne van Kesteren
wrote:
How big of a problem is it that we're making as dangerous as
On 6/2/14, 11:17 PM, Eduardo' Vela" wrote:
Now, I'm not sure how many have tried to implement an HTML sanitizers.
I've reviewed Gecko's implementation of one, if that counts...
1. You have to write a parser OR You have to use a third-party parser.
Wasn't an issue for us obviously.
2.
As with any new feature, there's the risk of introducing new security bugs
on applications that otherwise wouldn't have them. The usual argument goes
as follows:
Browser vendors have a lot of undocumented functionality, and it would be
foolish to create a blacklist approach on content filtering, s
Some initial informal testing shows that import links do make it through
the filters I have readily handy. It was quick work to write up some custom
filters, however.
On Jun 2, 2014 1:52 PM, "Boris Zbarsky" wrote:
> On 6/2/14, 4:21 PM, Giorgio Maone wrote:
>
>> I do hope any filter already blocke
Great context. Thanks! Let me ask my question another way- should
CompositionEvents be used when there isn't a composition? Should typing 'a'
fire CompositionEnd? If not we still need a CommandEvent of type insertText,
and it seems inconsistent not to fire it for all typing, doesn't it?
> From:
> From: Robin Berjon [mailto:ro...@w3.org]
>
> I think we agree at the high level but might disagree over smaller details.
> You
> seem to want something that would roughly resemble the
> following:
>
> BeforeSelectionChange
> {
>direction: "forward"
> , step: "word"
> }
>
> whereas
On Mon, Jun 2, 2014 at 2:06 AM, Jonas Sicking wrote:
> On Fri, May 30, 2014 at 5:40 PM, Jeffrey Walton
> wrote:
> > Are there any platforms providing the feature? Has the feature gained
> > any traction among the platform vendors?
>
> The webapps platform that we use in FirefoxOS and Firefox Des
On 6/2/14, 4:21 PM, Giorgio Maone wrote:
I do hope any filter already blocked out elements, as CSS has
been a XSS vector for a long time
elements without "stylesheet" in rel don't load CSS, though.
Hence the worries about blacklist vs whitelist...
-Boris
On 02/06/2014 15:01, Boris Zbarsky wrote:
> On 6/2/14, 8:54 AM, James M Snell wrote:
>> So long as they're handled with the same policy and restrictions as the
>> script tag, it shouldn't be any worse.
>
> It's worse for sites that have some sort of filtering on user-provided
> content but don't ca
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25915
Arun changed:
What|Removed |Added
Status|REOPENED|RESOLVED
Resolution|---
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25914
Arun changed:
What|Removed |Added
Status|REOPENED|RESOLVED
Resolution|---
We will be having our second Web Components telcon tomorrow (June 3).
If you'd like to suggest specific agenda items, please reply to this
mail.
Potential agenda items:
* Understanding Shadow DOM theming problem, brainstorming primitives,
maybe even filing bugs (who knows!).
* Reduce the frequency
On Jun 1, 2014, at 1:22 PM, Julian Ladbury
wrote:
> I fail to understand why work on this API has been suspended.
>
Just to be clear, by “this API” I think you mean:
http://dev.w3.org/2009/dap/file-system/file-writer.html
> HTML5, JavaScript and CSS together are becoming a natural platfor
On 6/2/14, 9:54 AM, James M Snell wrote:
Im not saying it's perfect. Not by any stretch. I'm saying it shouldn't
be worse.
I don't understand why you think it's not worse.
and content filters will need to evolve.
And until they do, we may have vulnerable pages, right? How is that not
wors
Im not saying it's perfect. Not by any stretch. I'm saying it shouldn't be
worse. Any impl that supports the mechanism will need to be aware of the
risk and content filters will need to evolve. Perhaps an additional
strongly worded warning in the spec would be helpful.
On Jun 2, 2014 6:43 AM, "Bori
On 6/2/14, 9:22 AM, James M Snell wrote:
Yes, that's true. Content filters are likely to miss the links
themselves. Hopefully, the imported documents themselves get filtered
By what, exactly? I mean, CSP will apply to them, but not website
content filters...
One assumption we can possibly
Yes, that's true. Content filters are likely to miss the links themselves.
Hopefully, the imported documents themselves get filtered, but there's no
guarantee. One assumption we can possibly make is that any implementation
that knows how to follow import links ought to know that they need to be
fil
On 6/2/14, 9:02 AM, James M Snell wrote:
I suppose that If you
needed the ability to sandbox them further, just wrap them inside a
sandboxed iframe.
The worry here is sites that currently have html filters for
user-provided content that don't know about being able to run
scripts. Clearly on
Yup, like I said, it shouldn't be any worse. From what I've seen with
chrome, at the very least, import links are handled with the same CSP as
script tags. Which is certainly a good thing. I suppose that If you needed
the ability to sandbox them further, just wrap them inside a sandboxed
iframe. It
On 6/2/14, 8:54 AM, James M Snell wrote:
So long as they're handled with the same policy and restrictions as the
script tag, it shouldn't be any worse.
It's worse for sites that have some sort of filtering on user-provided
content but don't catch this case right now, no?
-Boris
On Mon, Jun 2, 2014 at 2:54 PM, James M Snell wrote:
> So long as they're handled with the same policy and restrictions as the
> script tag, it shouldn't be any worse.
Well,
So long as they're handled with the same policy and restrictions as the
script tag, it shouldn't be any worse.
On Jun 2, 2014 2:35 AM, "Anne van Kesteren" wrote:
> How big of a problem is it that we're making as dangerous as
>
I fail to understand why work on this API has been suspended. HTML5,
JavaScript and CSS together are becoming a natural platform of choice on
which to write portable applications. Indeed, I have just started work on
just such a project, welcoming the chance it gives to break away from
proprietary s
On Thu, May 29, 2014 at 4:25 PM, Takeshi Yoshino wrote:
> http://fetch.spec.whatwg.org/#dom-request
> Add steps to set client and context?
That happens as part of the "restricted copy". However, that might
still change around a bit.
> http://fetch.spec.whatwg.org/#cors-preflight-fetch-0
> Add s
On 02/06/14 11:06, Jonas Sicking wrote:
> On Fri, May 30, 2014 at 5:40 PM, Jeffrey Walton wrote:
>> Are there any platforms providing the feature? Has the feature gained
>> any traction among the platform vendors?
>
> The webapps platform that we use in FirefoxOS and Firefox Desktop
> allows any
How big of a problem is it that we're making as dangerous as
On Fri, May 30, 2014 at 2:07 AM, Jonas Sicking wrote:
> On Thu, May 29, 2014 at 9:21 AM, Anne van Kesteren wrote:
>> Given that workers execute script in a fairly contained way, it might be
>> okay?
>
> Worker scripts aren't going to be very contained as we add more APIs
> to workers. They can a
On Fri, May 30, 2014 at 5:40 PM, Jeffrey Walton wrote:
> Are there any platforms providing the feature? Has the feature gained
> any traction among the platform vendors?
The webapps platform that we use in FirefoxOS and Firefox Desktop
allows any website to be an app store. I *think*, though I'm
28 matches
Mail list logo