- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Fri, 09 Aug 2013 23:32:49 -0400
- To: public-html@w3.org
On 8/9/13 11:12 PM, François REMY wrote: >> This is an interesting concept but something else to consider: what is >> to prevent someone from from "lying" about which script they are >> referencing? >> >> e.g. <script library="jQuery" version="1.0" >> src="/somethingNotjQuery.js<http://codeorigin.jquery.com/jquery-1.10.2.min.js>"></script> > > You can't. This is why this won't happen, at least not like that. > > The only option for this would be to provides a cryptographically strong hash of the file as the version, but this prevents minor fixes (ie using 1.1 instead of 1.0 where the release only fix bugs). > > The other option is to have a server you trust and which can download the best files for you. A kind of local CDN+cache, in some way. I feel like I'm missing something... The proposal was specifically that the browser should provide a built-in jQuery 1.0 in this situation, right? So if the src points to some other script, there are three possibilities: 1) The page expects the other script and will break in a browser that implements this proposal. 2) The page expects jQuery 1.0 and will break in a browser that does not implement this proposal. 3) The page doesn't care what's loaded here at all. Ignoring #3 for the moment, "lying" will just mean the page ends up broken. The main impact of this is how willing UAs are to give pages this footgun, I guess, but it doesn't seem like a fatal problem to me offhand. Note that if the proposal were to download from one page but share across others, _then_ lying like this would have cache-poisoning issues. But if the proposal is to just have browsers use built-in versions of libraries it's not obvious to me that there is a problem from the lying aspect. -Boris
Received on Saturday, 10 August 2013 03:33:19 UTC