W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2011

[whatwg] CSP feedback

From: Rob Levin <roblevin@hotmail.com>
Date: Thu, 28 Jul 2011 22:51:19 +0100
Message-ID: <COL122-DS254673C4DE52C23AB0959BC8340@phx.gbl>
> > (2) With the rise of Javascript frameworks like JQuery, it is becoming 
> > best practice to separate the code from the content. All legitimate 
> > code can be placed in the <head> block without too much effort, for 
> > many sites.

> In practice many developers prefer to place almost all script tags right
before the closing body tag
> http://developer.yahoo.com/performance/rules.html#js_bottom

Yes, I agree.  There can be a performance optimisation from placing scripts
at the bottom of the page.  In the absence of any other factors, this has
been the primary driver of advice where to place the scripts.  

But from a security point of view, mixing the scripts and the content is
quite dangerous - it gives malicious content more opportunities to sneak in
a live malicious script.  If placing scripts only in the head block could
give a simple and significant security enhancement, then the best-practice
advice could quickly change.  And hopefully with modern browsers the same
performance benefits can now be realised using scripts in the head block,
with the defer and/or async attribute

Received on Thursday, 28 July 2011 14:51:19 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:35 UTC