Quick correction/addendum: FireFox seems to be actually fine with CRLF as
line separator in setData(text/uri-list, data) and will return only the
first URL within data on getData(URL). However, it doesn't seem to return
files as URLs with getData(text/uri-list), which I guess would be my third
On 4 Feb 2010, at 17:44, Michal Zalewski wrote:
If there's no HTML, there's no need for a sandbox, so the simplest
solution is just to escape the s and s.
Which people fail at, big time. There are 50,000+ entries on
xssed.com, many of them against big sites presumably developed by
skilled
Kornel Lesinski wrote:
However, if we're going to introduce token-based sandbox anyway, I
suggest putting token in tag name:
sandbox-$token.../sandbox-$token
where $token is the random part. This avoids oddity of attributes in
closing tag, and is compatible with XML. In XML you could also use:
Lachlan Hunt wrote:
Kornel Lesinski wrote:
However, if we're going to introduce token-based sandbox anyway, I
suggest putting token in tag name:
sandbox-$token.../sandbox-$token
where $token is the random part. This avoids oddity of attributes in
closing tag, and is compatible with XML. In
On 5 Feb 2010, at 14:19, Lachlan Hunt wrote:
where $token is the random part. This avoids oddity of attributes in
closing tag, and is compatible with XML. In XML you could also use:
$token:sandbox xmlns:$token=…/$token:sandbox
No, you couldn't use a namespace like that, because then the
On Thu, Feb 4, 2010 at 11:12 AM, Ian Hickson i...@hixie.ch wrote:
On Mon, 25 Jan 2010, Alex Russell wrote:
AFAICT, the objections fall into several buckets:
1.) Users might pick badly or may re-use nonces when they shouldn't.
2.) Escaping is believed to be more secure because it's
Legal documents often use various indicators for list items. E.g.
a. ...
b. ...
c. ...
or
1. ...
2. ...
3. ...
or
I. ...
II. ...
III. ...
or
A. ...
B. ...
C. ...
etc.
These indicators are part of the content and cannot be governed by style
sheets. End users
On Fri, Feb 5, 2010 at 9:21 AM, Anne van Kesteren ann...@opera.com wrote:
These indicators are part of the content and cannot be governed by style
sheets. End users having their own custom style sheets overwriting the
indicators with their own preference would be a problem, for instance.
I
Hello,
Not long ago I published a paper which makes some observations about
the state of security in web session management and proposes some
small changes in browsers. Someone suggested I post it here for
comments. See:
On Feb 4, 2010, at 16:53 , Kit Grose wrote:
I also develop kiosk and medical applications where fullscreen is not only
desirable but necessary behaviour. Crippling the API such that the developer
cannot determine whether or not the user permitted their application to run
fullscreen is
On Feb 5, 2010, at 10:21 AM, Anne van Kesteren wrote:
These indicators are part of the content and cannot be governed by style
sheets. End users having their own custom style sheets overwriting the
indicators with their own preference would be a problem, for instance.
I have seen at least
http://www.atoker.com/blog/2010/02/04/html5-theora-video-codec-for-silverlight/
http://arstechnica.com/open-source/news/2010/02/nuanti-brings-html5-and-ogg-theora-video-to-silverlight.ars
The 40% is from the blog post at the top.
- d.
Hi,
In the spirit of paving some cow paths I'd like to put forward a
proposal for a future version of HTML. The behavior I'm addressing is
sites that replace links to external content with a framed version of
that content, along with their own overlay of information and links.
I think with some
On 2/5/10 5:40 PM, Rowan Nairn wrote:
- don't introduce new security issues like susceptibility to phishing attacks
- The main URL bar should display the framed URL i.e.
http://destination-site.com/
I'm having a really really really hard time reconciling these two,
especially in the
On Fri, Feb 5, 2010 at 2:46 PM, Boris Zbarsky bzbar...@mit.edu wrote:
On 2/5/10 5:40 PM, Rowan Nairn wrote:
- don't introduce new security issues like susceptibility to phishing
attacks
- The main URL bar should display the framed URL i.e.
http://destination-site.com/
I'm having a
On Fri, Feb 5, 2010 at 2:46 PM, Boris Zbarsky bzbar...@mit.edu wrote:
On 2/5/10 5:40 PM, Rowan Nairn wrote:
- don't introduce new security issues like susceptibility to phishing
attacks
- The main URL bar should display the framed URL i.e.
http://destination-site.com/
I'm having a
16 matches
Mail list logo