- From: Joe Walnes <joe@walnes.com>
- Date: Tue, 22 Oct 2013 14:10:57 -0500
- To: public-webapps@w3.org
Hi I'm experimenting with HTML Imports to simplify a collection of complicated web-apps. I'm really impressed with the functionality - it's greatly simplified things. I'm currently using a polyfill but looking forward to being able to use this natively. I've hit a limitation though - I'd really like to be able to share imports across origins. This makes it easy to share components across web-apps and I see this as a powerful way to piece together web-apps from different service providers. The current HTML Imports draft says: "On getting, the import attribute must return null, if:" ... "the resource is CORS-cross-origin.". If I understand correctly, that means HTML Imports will not work cross origin. Importing CSS, JavaScript and other media do not have this constraint. What is the reason behind having this constraint in HTML imports? >From the container page, it seems no riskier than linking to JavaScript on another domain. From the contained page, appropriate use of CORS headers should be able to prevent malicious pages grabbing their content. In fact the polyfill I'm using already allows cross origin imports, so even if the spec forbids it, the polyfills can get around it. Is this a deliberate design decision, or just something that hasn't been discussed in the draft yet? Thanks -Joe Walnes p.s. As I was writing this I just saw the Fetch spec proposal. This looks great and I hope it will help address the issue.
Received on Wednesday, 23 October 2013 09:28:50 UTC