Entry tags:
*What* css security issues?
Okay, I am annoyed. I have been unable to find any security issues associated with user-entered or user-uploaded CSS except in cases where a url is permitted as a value. Presumably setting one's loading form to refuse any document with http in it anywhere, or just strip the http string, will fix this.
So WHY is the AO3 skin dialogue so freaking limited?! *yanks own hair* This is supposedly for security reasons, but I fail to see what they could possibly be as long as http strings are axed.
Especially the :before. I could see it being a vandalism concern, but that just means that the reviewer for public skins may want to do a quick find for any "before"s or "after"s. But a security issue? And for pity's sake what's the problem with text-transform? Is there a security issue with me capitalizing things?!
This brief rant brought to you by the number of CSS variables which do not seem to be whitelisted for even private AO3 skins. And the increasing suspicion that both the explanation and the error message script were poorly thought out, totally aside from the obvious bugs in the allow/disallow script.
All I want is some freaking metadata labels! This platform has distinguished itself as the second, only after Wordpress, to receive an "argh" tag of its very own.
So WHY is the AO3 skin dialogue so freaking limited?! *yanks own hair* This is supposedly for security reasons, but I fail to see what they could possibly be as long as http strings are axed.
Especially the :before. I could see it being a vandalism concern, but that just means that the reviewer for public skins may want to do a quick find for any "before"s or "after"s. But a security issue? And for pity's sake what's the problem with text-transform? Is there a security issue with me capitalizing things?!
This brief rant brought to you by the number of CSS variables which do not seem to be whitelisted for even private AO3 skins. And the increasing suspicion that both the explanation and the error message script were poorly thought out, totally aside from the obvious bugs in the allow/disallow script.
All I want is some freaking metadata labels! This platform has distinguished itself as the second, only after Wordpress, to receive an "argh" tag of its very own.