- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 4 Jun 2014 11:00:23 +0200
- To: "Oda, Terri" <terri.oda@intel.com>
- Cc: WebApps WG <public-webapps@w3.org>
On Tue, Jun 3, 2014 at 7:20 PM, Oda, Terri <terri.oda@intel.com> wrote: > Perhaps it would make sense to also require explicit allowing of imports via > CSP? Scripts are allowed when no CSP is provided for historical > compatibility so you'd need to make sure that imports fell under a separate > directive, but there's no need for backwards compatibility so it probably > makes sense to choose a more conservative default behaviour for HTML > Imports. Using <script import> seems like a solution that would be better in that case, as it does not provide opt-in through HTTP. Whenever we require HTTP for a feature, we get a ton of complaints. And <script import> is not that bad authoring-wise either: <script import></script> <link rel="import" href> (Okay, you win two code points if you omit the quotes with <link>.) -- http://annevankesteren.nl/
Received on Wednesday, 4 June 2014 09:00:54 UTC