Re: [whatwg] Fetch Objects and scripts/stylesheets

Nothing prevents a website from downloading content via fetch/XHR and
simply inserting that text into the DOM. For example, Gmail seems to fetch
many of its resources this way today. This API seems strictly better than a
site that fetches text and just inserts it into the DOM.

Also, it seems like CSP or extensions could still hook into this API, maybe
not as early as before. For example, CSP would still know the URL of the
resource that had been loaded as a script / stylesheet. While it wouldn't
be able to block the loading, it could block the document from being turned
into a script or stylesheet element.

One could also imagine a flag passed to fetch saying "fetch this document
as if it were the src of a script tag". Perhaps that flag would be
mandatory for one to use the asScript API.




On Tue, Jul 22, 2014 at 11:34 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote:

> On 7/22/14, 2:01 PM, Ben Maurer wrote:
>
>> One advantage of doing this is that if there is some use case a site has
>> that isn't met by the dependency model they can still manually separate
>> the
>> fetch of an object from its insertion into the DOM.
>>
>
> One issue worth considering here: there are various situations (CSP,
> extension) in which a browser would like to know what sort of resource is
> being loaded, or more precisely how it will be consumed, before loading it.
>
> From that point of view, adding a way to customize fetch paramaters on
> <link rel="stylesheet"> or some other mechanism that tells the UA up front
> what is being fetched is vastly preferable to taking an existing fetch and
> synthesizing a stylesheet from it, because it provides a lot more control
> to the user agent and user's extensions.
>
> -Boris
>

Received on Tuesday, 22 July 2014 18:58:05 UTC