- From: Will Alexander <serverherder+whatwg@gmail.com>
- Date: Tue, 01 Mar 2011 16:58:43 -0500
On Wed, 2011-02-23 at 11:12 -0800, Tab Atkins Jr. wrote: > > """ > I have untrusted markup from a third party which I would like to > safely insert into my page, knowing that the rest of my page is safe > from whatever the untrusted markup is doing. Also, the untrusted > markup may be doing expensive things, particularly on load, so I'd > like to wait until after the rest of the page is loaded before loading > the markup. > """ > > Is this accurate? Correct me if not, but I'll assume it is for now. In many cases the code itself is considered trustworthy, but the ad server's performance suspect. In that case, asynchronous execution of the script is desired. Unfortunately, as the original email points out, the use of document.write() prevents this. Especially for ads, there are considerable advantages to using iframes; however, fully-privileged scripts have advantages too. Despite a decade of warning/ridiculing authors, document.write()'s continued prevalence seems to be evidence of the fact that it is the only mechanism to address a common problem: Where in the document should a script place the content it generates? A patch to Gecko [1] , originally discussed on the list last August [2], seems to address this. It adds a `currentScript` property which references (surprise) the currently executing script. When a script can reliably find itself, authors can use the current semantics of "put this script wherever you want the widget to go," asynchronously if they so choose. The proposal seems to have been stalled by the specifics of some additional compilation events that were also included. Beyond the Gecko patch, I'm not sure where adoption stands. [1] https://bugzilla.mozilla.org/show_bug.cgi?id=587931 [2] http://www.mail-archive.com/whatwg at lists.whatwg.org/msg23015.html > Will
Received on Tuesday, 1 March 2011 13:58:43 UTC