As I mentioned on http://blog.mozilla.com/security/2010/02/10/fixing-security-holes-without-introducing-new-bugs/, XBL is a major source of security problems. Also, we know we want to replace it with something else, so we might as well remove it before more people start using it. To really close the attack surface, we may need to change how marquee and media controls work, but that can happen later IMO.

See bug 379644. In particular the analysis in bug 379644 comment 45. I assume that this bug is about making it so that only privileged stylesheets (user(?), UA, chrome; do we give skin stylesheets system principals?) can link to XBL, basically? That would address threat (A) from that comment and maybe threat (C) (though I think we have (C) solved already), and perhaps make (B) more difficult. It's effectively mitigation strategy (1) from the abovementioned comment, right?

This is happening as part of bug 546857. Duping.