Re: webcomponents: <import> instead of <link>

On Wed, May 15, 2013 at 9:08 PM, Simon Pieters <> wrote:
> Case study: <img> was historically not capable of executing script from an
> external file. This lead to sites expecting <img> to be safe (e.g. allow
> untrusted comments to use <img>). When browsers wanted to support SVG in
> <img>, scripting had to be disabled in order to not break the assumption
> that <img> is safe.

Further case-in-point: Hosting SVG same-origin is nevertheless still
very much a no-no as tricking the user into loading the file directly
will expose the user to said scripts.


Received on Thursday, 16 May 2013 16:40:10 UTC