Question thread #4

[pauamma]

It's time for another question thread!

The rules:

- You may ask any dev-related question you have in a comment. (It doesn't even need to be about Dreamwidth, although if it involves a language/library/framework/database Dreamwidth doesn't use, you will probably get answers pointing that out and suggesting a better place to ask.)
- You may also answer any question, using the guidelines given in To Answer, Or Not To Answer.

Comments

[syntheid]

Not sure if this is the sort of question that is supposed to go here, so apologies if it's not. But I keep wondering if there's a reason inline css styling isn't allowed on the profile page. Seems a bit odd, since I've seen that suggested recently as the primary way to restyle a table if you post it in your entry, but then it gets stripped out if you try to put a style attribute in a tag on the profile page. Which means things like removing padding from the table in your profile are impossible to manage, too. Is there a security/site reason for that?

[denise]

It's for security: CSS is a major vector of injection attack, and profiles can be served from the www subdomain in certain cases, opening up the possibility of malicious CSS having access to a user's master cookie if it manages to make it through. Journal space is on the user subdomain, which limits the damage that any security breach could affect to just being able to leave comments in that subdomain as the person who's had their cookies stolen, but if a malicious someone can get the master cookie, they'd have access to the whole account.

[syntheid]

Ahh, that makes sense, thank you.