Re: [whatwg] should we add beforeload/afterload events to the web platform?

On Sat, 4 Feb 2012, Boris Zbarsky wrote:
> On 2/3/12 11:15 PM, Ian Hickson wrote:
> > I agree with you that if the author is using HTTP styles on their 
> > HTTPS page that an attacker could screw with the page. But my point is 
> > that fixing that is easy: just move the styles to HTTPS. In the case 
> > of scripts it's not that easy because the scripts might be on 
> > third-party servers
> 
> Styles are also commonly found on third-party servers...
> 
> > in complicated setups
> 
> Likewise.

Styles are not as generic as scripts. Styles are almost always very 
specific to the site, so you have control over them. Scripts on the other 
hand could be things like analytics, or be related to social widgets, or 
who knows what else. (I'll grant that maybe some of those embed style 
sheets which you might then want to enable, but I'd imagine most of them 
would do that inside iframes, not directly in your page.)

The point being that while I could see wanting to control things 
per-script (and I believe this is now specced out), I don't really see a 
compellingly similar story for styles or for making this completely 
generic.

Having said that, of course, if browser vendors implement it, I'll spec it...


(There were other e-mails on this thread but they did not seem to have any 
actionable feedback on the spec so I have not included them here.)

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 7 June 2012 21:26:34 UTC