[Bug 10068] Suggest making noscript obsolete but conforming


--- Comment #47 from Adam Barth <w3c@adambarth.com>  2010-08-23 22:39:05 ---
>> <noscript> limits the meta refresh to only those situations when script is
>> disabled.
> Obviously. But what actual problem does this solve?

Redirecting folks who don't have JavaScript turned on to a version of the site
that works for them.

> The Microsoft blog post I cited says: "Send the content as an HTTP Header  the
> directive is ignored if specified in a META tag". *If* that's accurate (I
> haven't tested), then Facebook's directive does not work. (I wouldn't be
> surprised by error in either direction.)

I think you'll get more accurate results by testing what actually happens then
by reading a blog post.

> But - assuming for the sake of discussion it *does* work - is the purpose of
> attempting to limit "X-Frame-Options" to script-less scenarios to enable the
> content to be iframed when JS *is* enabled?

They have some other solution for clickjacking when JS is enabled.  For
whatever reason, they'd rather use that than X-Frame-Options.  However, they
still want to use X-Frame-Options in the case when there's no script.

> Are they trying to balance integrations options with security concerns or what?

I don't think you or I should sit in judgement of these decisions.  The point
is only that <noscript> is a useful, widely used element that does things that
no other element can do.  Declaring it obsolete when it's not is silly and
counter productive.

> a usage example is not the same as a use case.

Usage, however, is evidence that the feature solves a problem in a useful way.

I'm tired of arguing.  Bottom line: we shouldn't declare something obsolete
that's used by a very large number of important web sites.

Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Monday, 23 August 2010 22:39:08 UTC