[whatwg] <include> element

Martin Atkins wrote:
> Christian Schmidt wrote:
>>
>> In practice, the result effect is often achieved by wrapping your 
>> include file in a document.write() and including this using script a 
>> <script src="...">. However, this makes it harder to write these 
>> includes by hand (you have to escape certain characters, ' " \ \n \r 
>> \t), and debugging also gets more difficult.
>>
> 
> This last point made me think of a related issue:
> 
> When you use the above technique, the included script runs in the 
> security context of the including page, and this technique therefore 
> requires complete trust of the included document.
> 
> Would documents included via <include> run in the security context of 
> the including page, as with the script technique, or would they run in 
> the context of the included document, as with iframes?
> 
> Personally I favor the latter, but I wonder if this impact's anyone's 
> use-cases?.

They would run in the context of the included page, just like an iframe. 
The processing of <include> is exactly that of <iframe> the only 
difference is in the rendering.

In fact, for security reasons we might end up having to use <iframe 
type="include"> or some such rather than <include>

This is all detailed in my original proposal.

/ Jonas

Received on Friday, 27 April 2007 03:36:34 UTC