- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 18 Jan 2010 02:00:18 -0800
- To: Maciej Stachowiak <mjs@apple.com>
- Cc: Ian Hickson <ian@hixie.ch>, HTML WG <public-html@w3.org>
On Mon, Jan 18, 2010 at 12:36 AM, Maciej Stachowiak <mjs@apple.com> wrote: > I'm not saying Adam's concern rules the feature out, but we should think about whether there is a way to tighten it up or find a different way to do things. Making it solely an IDL attribute and not a content/markup attribute is one way to avoid script injection risks, but may not serve the use case equally well. (In fact, it's not any harder to document.write or use innerHTML on the content document, so a script-only feature might not be worth doing). Keep in mind that you most often want to use this feature without the allow-origin directive, which means you won't be able to reach into the frame to call document.write or set innerHTML. Adam
Received on Monday, 18 January 2010 10:01:11 UTC