A clarification to make sure people in same page:
On Mon, Jun 2, 2014 at 5:54 AM, James M Snell <jasnell@gmail.com> wrote:
> So long as they're handled with the same policy and restrictions as the
> script tag, it shouldn't be any worse.
>
HTML Imports are a bit more strict. They see CORS header and decline if
there is none for cross origin imports.
Also, requests for imports don't send any credentials to other origins.
> On Jun 2, 2014 2:35 AM, "Anne van Kesteren" <annevk@annevk.nl> wrote:
>
>> How big of a problem is it that we're making <link> as dangerous as
>> <script>? HTML imports can point to any origin which then will be able
>> to execute scripts with the authority of same-origin.
>>
>>
>> --
>> http://annevankesteren.nl/
>>
>>
--
morrita