[rfc-i] draft-iab-html-rfc-03.txt

Joe Hildebrand (jhildebr) jhildebr at cisco.com
Tue Jul 5 13:04:04 PDT 2016


> On Jul 1, 2016, at 9:06 AM, Russ Housley <housley at vigilsec.com> wrote:
> 
> The security considerations say:
> 
>   Since RFCs are sometimes exchanged outside the normal Web sandboxing
>   mechanism (such as using the "rsync" program to a mirror site) then
>   loaded from a local file, more care must be taken with the HTML than
>   is ordinary on the web.
> 
> Is that care already factored into the specification?  If so, please say that.  If not, what additional care is needed?

Yes, it is already factored in.  In particular:

- no javascript
- CSS embedded in the document in <script> tags, rather than being loaded externally (except for the rfc-local.css overrides, which you use at your own risk)
- SVG embedded in the document rather than loaded externally

There are a probably a few other places.  We can certainly make this more explicit in the as-built docs we publish after implementation experience.

-- 
Joe Hildebrand



More information about the rfc-interest mailing list