Joe Hildebrand (jhildebr)
jhildebr at cisco.com
Tue Jul 5 13:04:04 PDT 2016
> On Jul 1, 2016, at 9:06 AM, Russ Housley <housley at vigilsec.com> wrote:
> The security considerations say:
> Since RFCs are sometimes exchanged outside the normal Web sandboxing
> mechanism (such as using the "rsync" program to a mirror site) then
> loaded from a local file, more care must be taken with the HTML than
> is ordinary on the web.
> Is that care already factored into the specification? If so, please say that. If not, what additional care is needed?
Yes, it is already factored in. In particular:
- CSS embedded in the document in <script> tags, rather than being loaded externally (except for the rfc-local.css overrides, which you use at your own risk)
- SVG embedded in the document rather than loaded externally
There are a probably a few other places. We can certainly make this more explicit in the as-built docs we publish after implementation experience.
More information about the rfc-interest