[webcomponents] Cross origin HTML imports

Hi

I'm experimenting with HTML Imports to simplify a collection of
complicated web-apps. I'm really impressed with the functionality -
it's greatly simplified things. I'm currently using a polyfill but
looking forward to being able to use this natively.

I've hit a limitation though - I'd really like to be able to share
imports across origins. This makes it easy to share components across
web-apps and I see this as a powerful way to piece together web-apps
from different service providers.

The current HTML Imports draft says: "On getting, the import attribute
must return null, if:" ... "the resource is CORS-cross-origin.". If I
understand correctly, that means HTML Imports will not work cross
origin.

Importing CSS, JavaScript and other media do not have this constraint.
What is the reason behind having this constraint in HTML imports?

>From the container page, it seems no riskier than linking to
JavaScript on another domain. From the contained page, appropriate use
of CORS headers should be able to prevent malicious pages grabbing
their content. In fact the polyfill I'm using already allows cross
origin imports, so even if the spec forbids it, the polyfills can get
around it.

Is this a deliberate design decision, or just something that hasn't
been discussed in the draft yet?

Thanks
-Joe Walnes

p.s. As I was writing this I just saw the Fetch spec proposal. This
looks great and I hope it will help address the issue.

Received on Wednesday, 23 October 2013 09:28:50 UTC