W3C home > Mailing lists > Public > public-html@w3.org > August 2013

Re: [Feature Proposal] New attributes "library" and "version" on script tags

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Fri, 09 Aug 2013 23:32:49 -0400
Message-ID: <5205B461.60606@mit.edu>
To: public-html@w3.org
On 8/9/13 11:12 PM, François REMY wrote:
>> This is an interesting concept but something else to consider: what is
>> to prevent someone from from "lying" about which script they are
>> referencing?
>>
>> e.g. <script library="jQuery" version="1.0"
>> src="/somethingNotjQuery.js<http://codeorigin.jquery.com/jquery-1.10.2.min.js>"></script>
>
> You can't. This is why this won't happen, at least not like that.
>
> The only option for this would be to provides a cryptographically strong hash of the file as the version, but this prevents minor fixes (ie using 1.1 instead of 1.0 where the release only fix bugs).
>
> The other option is to have a server you trust and which can download the best files for you. A kind of local CDN+cache, in some way. 		 	   		

I feel like I'm missing something...

The proposal was specifically that the browser should provide a built-in 
jQuery 1.0 in this situation, right?

So if the src points to some other script, there are three possibilities:

1)  The page expects the other script and will break in a browser that 
implements this proposal.

2)  The page expects jQuery 1.0 and will break in a browser that does 
not implement this proposal.

3)  The page doesn't care what's loaded here at all.

Ignoring #3 for the moment, "lying" will just mean the page ends up 
broken.  The main impact of this is how willing UAs are to give pages 
this footgun, I guess, but it doesn't seem like a fatal problem to me 
offhand.

Note that if the proposal were to download from one page but share 
across others, _then_ lying like this would have cache-poisoning issues. 
  But if the proposal is to just have browsers use built-in versions of 
libraries it's not obvious to me that there is a problem from the lying 
aspect.

-Boris
Received on Saturday, 10 August 2013 03:33:19 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 29 October 2015 10:16:34 UTC