- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 28 Mar 2013 19:27:11 +0000
- To: Dimitri Glazkov <dglazkov@google.com>
- Cc: public-webapps <public-webapps@w3.org>, Elliott Sprehn <esprehn@gmail.com>, Angelina Fabbro <angelinafabbro@gmail.com>, Brian Kardell <bkardell@gmail.com>, Steve Orvell <sorvell@google.com>, Ryan Seddon <seddon.ryan@gmail.com>, Ladislav Thon <ladicek@gmail.com>, Dominic Cooney <dominicc@google.com>
On Tue, Mar 26, 2013 at 3:59 PM, Dimitri Glazkov <dglazkov@google.com> wrote: > After all resources are loaded and processed, we'll need to process > <element> instances, in reverse order of loading. Processing means: > > 1) Registering a custom element, specified by this <element>. This > will involve running its children <script> elements with some special > rules. > 2) Running element upgrade: > https://dvcs.w3.org/hg/webcomponents/raw-file/tip/spec/custom/index.html#dfn-element-upgrade > > As for the fetching security model, I have a bug for this: > https://www.w3.org/Bugs/Public/show_bug.cgi?id=21226. Please guide me, > would love your fetch-spec-writing experience :) > > As an additional wrinkle, the webdevs really want this: > https://www.w3.org/Bugs/Public/show_bug.cgi?id=21229 I guess what mostly strikes me as weird is that we're again introducing cross-origin scripts that execute with your principals. That seems bad. Assuming we don't find anything better, lets make it clear (monkeypatch for now, I'll create a way) that https -> http fails (we might even want https+EV requires https+EV linking although I'm not sure if you gain much by that). That you really have to trust who you import (suspect the likelyhood of that helping to be close to zero, but who knows). -- http://annevankesteren.nl/
Received on Thursday, 28 March 2013 19:27:39 UTC