[whatwg] On separation of code and data

The primary purpose of HTML is presentation, not scripting.  You can have a
user agent that does not support scripting at all, or that does not support
scripting in your script of choice, but other elements of your presentation
should be rendered, whatever that means, and make sense without scripting.
I cannot agree with sticking the tag "Future of HTML" onto scripting
security research.

Everything is executable in JavaScript, e.g. the expression "0" returns 0
when you execute it, therefore not executable means inaccessible.  The
duality of data and code is a characteristic of high level languages and it
is generally considered a good thing because it makes reflection possible.
I admit that reflection is not widely used in JavaScript, and most of such
cases actually are a misuse; nevertheless, IMHO, removing the data-code
duality would be a big step backwards.  Which, needless to say, could be
welcome to an industry, like Tinselton, that prefers prosecuting and
restricting to protecting and innovating; the WWW industry hopefully does
not belong to this genre.

The execution protection flag makes sense in machine code where the duality
cannot be readily seen, especially in compiled code where the compiler has
moved and transformed much of the original code to better match the target
architecture, which is beneficial both to the programmer and to the end
user; however, even in such an environment it is used sparingly and often
limited to core system services because it is incompatible with trampolines
and closures, at least the way they are implemented by most compilers.  It
cannot be viewed as the universal remedy and it should not be applied to
interactive elements.

The suggestion that JavaScript code should be rendered is ridiculous; it
reminds me of MacWeb, R.I.P.  But, as an afterthought, perhaps it could
enforce a better coding style to Web developers?  Sort of "Do not execute it
because it is unpretty?"  Just kidding.

And if you disable inline script code, the authors will be forced to use the
data URL scheme instead, which is cumbersome and buys you almost nothing,
except that you can use the token -- in the script.  Is that what you want?

The DOM tree does not contain any code, so separating DOM code elements and
attributes is void.  Please explain what you really want and give us an
example scenario of how it would work and how it would help, along the line
"This document could be used to steal your credit card number because.; my
idea would prevent it because. while everything else will work as expected



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20070607/e118a7ff/attachment.htm>

Received on Thursday, 7 June 2007 02:17:24 UTC