- From: Jens Oliver Meiert <jens@meiert.com>
- Date: Fri, 28 Aug 2020 08:59:06 +0200
- To: Ryosuke Niwa <rniwa@apple.com>
- Cc: Jeffrey Yasskin <jyasskin@google.com>, public-web-perf <public-web-perf@w3.org>, Krzysztof Kotowicz <koto@google.com>, Hayato Ito <hayato@google.com>
> > In https://github.com/WICG/webpackage/issues/580, Krzysztof worries that adding any new way for a <link> tag to affect script loading is a security risk, because pages may not be as careful about preventing users from injecting <link> tags as they are about <script> tags. Instead, he suggests using a Javascript API to tell the browser to preload subresources using a bundle. > > That would be a pretty serious security risk. Putting all other objections against web packaging / web bundles aside, this will be a pretty big show stopper. Ryosuke, just to be clear, what does your “that” refer to—using scripts with <link> elements this way, or preloading resources in a bundle? —If I get Krzysztof right I would share the concerns around repurposing the <link> element. There seem to be enough problems around even raising awareness for the security implications of <script> elements. -- Jens Oliver Meiert https://meiert.com/en/
Received on Friday, 28 August 2020 06:59:32 UTC