Tuesday, August 07, 2007

flat is better than nested?

In the process of making Crunchy more secure, I had extra attention to css files that contained import statements, since these can be used to insert javascript code. I was rather surprised when I looked at www.python.org. First, I noticed the line
  <link rel="stylesheet" type="text/css" media="screen"
id="screen-switcher-stylesheet" href="/styles/screen-switcher-default.css" />
which, in itself, appears rather ordinary. Upon following the link, I found that the content of the css file consists of the single line:
@import url(../styles/styles.css);

In its default security mode, Crunchy just ignores any style information that contains "url(" in it. As a result, when viewed using the default security mode for Crunchy, the python.org site's formatting is lost.

I wonder why the link redirection is used...

2 comments:

Tim Parkin said...

Not having enough time to refactor it. I originally only had one stylesheet (styles.css) but then wanted to use the styleswitcher but it wanted to use the different names for styles. I obviously linked it in and never got around to changing it (although it may have something to do with the fact that import only works with newer browsers - it's so long ago now I can't remember. I'll have a quick look next time I'm on the site).

André Roberge said...

While I have been wondering about the reason for the single link, I must say that I really like the work you have done with the new Python site. It looks a lot more professional than the old one!