- From: Ian Hickson <ian@hixie.ch>
- Date: Sun, 17 Jan 2010 09:14:38 +0000 (UTC)
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: public-html@w3.org
On Sun, 17 Jan 2010, Julian Reschke wrote: > Ian Hickson wrote: > > ... > > Markup in attributes has it's disadvantages, but it's not necessarily a > > problem. data: URLs of HTML resources are a common case of markup in an > > attribute that seems to work ok; it is in fact the inspiration for doc="". > > The main problems with data: attributes in this context are: > > > > - data: attributes require more escaping > > Yes. Is that sufficient reason to add yet another syntax? Maybe, maybe not. I guess that's a judgement call. I would judge that it is probably not necessary on its own, but is probably a strong enough gain that given few other benefits, it would sway the argument. > > - the definition of 'origin' for data: attributes isn't fully stable > > Then it should be made stable. That would be nice, yes. If you can get consensus amongst implementors on what origin should be used for documents parsed from data obtained from data: URLs, and then get them to reliably implement that and ship it without them receiving bug reports that cause them to change their mind, then I would be very grateful. > > - using data: has the wrong fallback story (it fails open, instead of > > closed) > > ... > > What does that mean? A data: URI is processed in a legacy UA even if it doesn't support sandboxing. What we're looking for is a solution where the origin can be the same as the parent document's, with scripting disabled, in UAs that support sandbox="", and where legacy UAs either render nothing, or, ideally, can be served a server-filtered alternative form of the data. I don't see how to do that with src="data:...". -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Sunday, 17 January 2010 09:15:07 UTC