- From: Jonas Sicking <jonas@sicking.cc>
- Date: Fri, 27 Apr 2007 03:36:34 -0700
Martin Atkins wrote: > Christian Schmidt wrote: >> >> In practice, the result effect is often achieved by wrapping your >> include file in a document.write() and including this using script a >> <script src="...">. However, this makes it harder to write these >> includes by hand (you have to escape certain characters, ' " \ \n \r >> \t), and debugging also gets more difficult. >> > > This last point made me think of a related issue: > > When you use the above technique, the included script runs in the > security context of the including page, and this technique therefore > requires complete trust of the included document. > > Would documents included via <include> run in the security context of > the including page, as with the script technique, or would they run in > the context of the included document, as with iframes? > > Personally I favor the latter, but I wonder if this impact's anyone's > use-cases?. They would run in the context of the included page, just like an iframe. The processing of <include> is exactly that of <iframe> the only difference is in the rendering. In fact, for security reasons we might end up having to use <iframe type="include"> or some such rather than <include> This is all detailed in my original proposal. / Jonas
Received on Friday, 27 April 2007 03:36:34 UTC