[Bug 11665] New: Please enter your feedback, carefully indicating the title of the section for which you are submitting feedback, quoting the text that's wrong today if appropriate. If you're sugges
http://www.w3.org/Bugs/Public/show_bug.cgi?id=11665 Summary: Please enter your feedback, carefully indicating the title of the section for which you are submitting feedback, quoting the text that's wrong today if appropriate. If you're suggesting a new feature, it's really important to say what the problem you're t Product: WebAppsWG Version: unspecified Platform: Other URL: http://www.whatwg.org/specs/web-apps/current-work/#top OS/Version: other Status: NEW Severity: normal Priority: P3 Component: Web Messaging (editor: Ian Hickson) AssignedTo: i...@hixie.ch ReportedBy: contribu...@whatwg.org QAContact: member-webapi-...@w3.org CC: m...@w3.org, public-webapps@w3.org Specification: http://dev.w3.org/html5/postmsg/ Section: http://www.whatwg.org/specs/web-apps/current-work/complete.html#top Comment: Please enter your feedback, carefully indicating the title of the section for which you are submitting feedback, quoting the text that's wrong today if appropriate. If you're suggesting a new feature, it's really important to say what the problem you're trying to solve is. That's more important than the solution, in fact. Posted from: 128.29.43.1 -- Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are on the CC list for the bug.
Peepo.com review request, deadline 6 Jan
Peepo.com review request, deadline 6 Jan http://www.peepo.com Whilst recognising the extremely busy workloads borne by members, I would appreciate feedback in terms of: Accessibility, Fitness for purpose, Webappiness, Code efficiency, Missing features or content, and any comments of your choice. regards Jonathan Chetwynd peepo.com is temporarily stable. see: gaming.mozillalabs.com
Re: clipboard events
Oh boy... indeed it's a crab's nest! I think it's rather a good idea to whitelist and blacklist and get it richer as the browser makers' awareness grows into a catalog of tags, attributes, and properties that need to be sanitized out or may be kept. I'd rather suggest to start smallishly so that the feature itself is kept (and not "disabled for security reasons by upgrade beta+0.003"; I believe this is what happened to MSIE's Clipboard APIs) and let it grow as the catalog grows. paul On 4 janv. 2011, at 03:01, Robert O'Callahan wrote: > I specifically avoided the issue of whether to whitelist or blacklist :-). > > Whitelisting is preferably for security, but it turns that the obvious > whitelists break things. For example, some HTML editors expect to be able to > get pasted HTML from Microsoft Word containing -mso styles, which they will > then process into something else. So a CSS whitelist would need to include at > least some -mso stuff, and who knows what else On 4 janv. 2011, at 06:51, Robert O'Callahan wrote: > Probably not. One problem is that if some implementation supports > CSS-triggered scripts via some CSS extension, then ideally other > implementations would ensure that those extensions are stripped. E.g. Opera > doesn't support IE's expression() CSS extension, but if an Opera user pastes > untrusted HTML into a Web site, IE users may become vulnerable. > Maybe your spec should just mention that something needs to be done here and > move on. This is a rather tough issue and it wouldn't be fair to make you > responsible for solving it :-).