Re: webcomponents: <import> instead of <link> from Dimitri Glazkov on 2013-05-15 (public-webapps@w3.org from April to June 2013)

From: Dimitri Glazkov <dglazkov@chromium.org>
Date: Wed, 15 May 2013 11:26:36 -0700
To: Simon Pieters <simonp@opera.com>
Cc: public-webapps <public-webapps@w3.org>, Hajime Morrita <morrita@google.com>
Message-ID: <CADh5Ky3nKxAr_h--N5m0fAD2DBWtY=wfpPwynur_H6vCN+uJRQ@mail.gmail.com>

On Tue, May 14, 2013 at 2:21 PM, Simon Pieters <simonp@opera.com> wrote:

> That seems to be an argument based on aesthetics. That's worth considering,
> of course, but I think is a relatively weak argument. In particular I care
> about the first bullet point above. <link> is not capable of executing
> script from an external resource today. What are the implications if it
> suddenly gains that ability?

Given that WebAppSec peeps suggested that CSP treats <link rel=import>
as script-src, I am pretty sure we're okay here. Are there any other
things that we should worry about?

There's one more ditty that seems valuable: HTML Imports
scripts-blocking behavior is much closer to how <link rel=stylesheet>
works (https://dvcs.w3.org/hg/webcomponents/raw-file/tip/spec/imports/index.html#dfn-import-ready-flag
and thereabouts)

:DG<

Received on Wednesday, 15 May 2013 18:27:07 UTC