Re: webcomponents: <import> instead of <link>

Filed to track this.


On Thu, May 16, 2013 at 9:39 AM, Anne van Kesteren <> wrote:
> On Wed, May 15, 2013 at 9:08 PM, Simon Pieters <> wrote:
>> Case study: <img> was historically not capable of executing script from an
>> external file. This lead to sites expecting <img> to be safe (e.g. allow
>> untrusted comments to use <img>). When browsers wanted to support SVG in
>> <img>, scripting had to be disabled in order to not break the assumption
>> that <img> is safe.
> Further case-in-point: Hosting SVG same-origin is nevertheless still
> very much a no-no as tricking the user into loading the file directly
> will expose the user to said scripts.
> --

Received on Wednesday, 19 June 2013 18:05:36 UTC