- From: Ryosuke Niwa <rniwa@apple.com>
- Date: Fri, 28 Aug 2020 00:16:49 -0700
- To: Jens Oliver Meiert <jens@meiert.com>
- Cc: Jeffrey Yasskin <jyasskin@google.com>, public-web-perf <public-web-perf@w3.org>, Krzysztof Kotowicz <koto@google.com>, Hayato Ito <hayato@google.com>
> On Aug 27, 2020, at 11:59 PM, Jens Oliver Meiert <jens@meiert.com> wrote: > >>> In https://github.com/WICG/webpackage/issues/580, Krzysztof worries that adding any new way for a <link> tag to affect script loading is a security risk, because pages may not be as careful about preventing users from injecting <link> tags as they are about <script> tags. Instead, he suggests using a Javascript API to tell the browser to preload subresources using a bundle. >> >> That would be a pretty serious security risk. Putting all other objections against web packaging / web bundles aside, this will be a pretty big show stopper. > > Ryosuke, just to be clear, what does your “that” refer to—using > scripts with <link> elements this way, or preloading resources in a > bundle? The fact link element can affect what script gets loaded. - R. Niwa
Received on Friday, 28 August 2020 07:17:14 UTC