- From: David Bruant <bruant.d@gmail.com>
- Date: Sun, 19 Feb 2012 23:17:31 +0100
- To: Anne van Kesteren <annevk@opera.com>
- CC: Brendan Eich <brendan@mozilla.com>, es-discuss <es-discuss@mozilla.org>, "public-script-coord@w3.org" <public-script-coord@w3.org>, mranney@voxer.com
Le 19/02/2012 22:57, Anne van Kesteren a écrit : > On Sun, 19 Feb 2012 21:29:48 +0100, David Bruant <bruant.d@gmail.com> > wrote: >> I think a CSP-like solution should be explored. > > FWIW, the feedback on CORS (CSP-like) thus far has been that it's > quite hard to set up custom headers. Do you have reference on this feedback? Under which circumstances is it hard? One major annoyance I see in HTTP headers is that I have never heard of an hosting service allowing to choose the HTTP your services is served with and that's problematic. <meta http-equiv> is of some help to provide the feature without having control over the HTTP response, but in some cases, we want the HTTP header to mean something that is document-wise and a <meta> can be too late. > So for something as commonly used as JavaScript I'm not sure we'd want > to require that. And although more difficult, if we want <meta> it can > be made to work, it's just more complicated than simply defining a > name and a value. But maybe it should be something simpler, e.g. > > <html unicode> > > in the top-level browsing context's document. I'm not sure it solves anything since a script could be the first thing an HTML renderer comes across, even before a doctype, even before an <html> starting tag. My guess would be that the HTML spec defines that this script should be executed even if the "<script>" opening tag are the first bytes of the document. David
Received on Sunday, 19 February 2012 22:18:01 UTC