- From: Hajime Morrita <morrita@google.com>
- Date: Wed, 23 Oct 2013 21:16:19 +0900
- To: Joe Walnes <joe@walnes.com>
- Cc: public-webapps <public-webapps@w3.org>
- Message-ID: <CALzNm5qyejAesS5XUvVJ2OWn_w2ZKM3k-21Uq_V=VV8fgcSb3w@mail.gmail.com>
Hi Joe, Thanks for trying HTML Imports and looking into the spec! It's a spec bug. The intention of the spec is to allow CORS-aware cross origin resources. It seems that something wrong happened during editing. I filed a bug [1] for revising it. I've been trying to define the import loading behavior on top of the "basic fetch" algorithm of the fetch standard. So feedback like yours are really appreciated. Thanks, [1] https://www.w3.org/Bugs/Public/show_bug.cgi?id=23606 -- morrita On Wed, Oct 23, 2013 at 4:10 AM, Joe Walnes <joe@walnes.com> wrote: > Hi > > I'm experimenting with HTML Imports to simplify a collection of > complicated web-apps. I'm really impressed with the functionality - > it's greatly simplified things. I'm currently using a polyfill but > looking forward to being able to use this natively. > > I've hit a limitation though - I'd really like to be able to share > imports across origins. This makes it easy to share components across > web-apps and I see this as a powerful way to piece together web-apps > from different service providers. > > The current HTML Imports draft says: "On getting, the import attribute > must return null, if:" ... "the resource is CORS-cross-origin.". If I > understand correctly, that means HTML Imports will not work cross > origin. > > Importing CSS, JavaScript and other media do not have this constraint. > What is the reason behind having this constraint in HTML imports? > > >From the container page, it seems no riskier than linking to > JavaScript on another domain. From the contained page, appropriate use > of CORS headers should be able to prevent malicious pages grabbing > their content. In fact the polyfill I'm using already allows cross > origin imports, so even if the spec forbids it, the polyfills can get > around it. > > Is this a deliberate design decision, or just something that hasn't > been discussed in the draft yet? > > Thanks > -Joe Walnes > > p.s. As I was writing this I just saw the Fetch spec proposal. This > looks great and I hope it will help address the issue. > > > -- morrita
Received on Wednesday, 23 October 2013 12:16:47 UTC