- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 7 Jun 2012 21:26:02 +0000 (UTC)
- To: Boris Zbarsky <bzbarsky@MIT.EDU>, Adam Barth <w3c@adambarth.com>, Henri Sivonen <hsivonen@iki.fi>
- Cc: whatwg@lists.whatwg.org, Adam Barth <abarth@eecs.berkeley.edu>
On Sat, 4 Feb 2012, Boris Zbarsky wrote: > On 2/3/12 11:15 PM, Ian Hickson wrote: > > I agree with you that if the author is using HTTP styles on their > > HTTPS page that an attacker could screw with the page. But my point is > > that fixing that is easy: just move the styles to HTTPS. In the case > > of scripts it's not that easy because the scripts might be on > > third-party servers > > Styles are also commonly found on third-party servers... > > > in complicated setups > > Likewise. Styles are not as generic as scripts. Styles are almost always very specific to the site, so you have control over them. Scripts on the other hand could be things like analytics, or be related to social widgets, or who knows what else. (I'll grant that maybe some of those embed style sheets which you might then want to enable, but I'd imagine most of them would do that inside iframes, not directly in your page.) The point being that while I could see wanting to control things per-script (and I believe this is now specced out), I don't really see a compellingly similar story for styles or for making this completely generic. Having said that, of course, if browser vendors implement it, I'll spec it... (There were other e-mails on this thread but they did not seem to have any actionable feedback on the spec so I have not included them here.) -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 7 June 2012 21:26:34 UTC