- From: Ben Maurer <ben.maurer@gmail.com>
- Date: Tue, 22 Jul 2014 11:57:41 -0700
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: whatwg@lists.whatwg.org
Nothing prevents a website from downloading content via fetch/XHR and simply inserting that text into the DOM. For example, Gmail seems to fetch many of its resources this way today. This API seems strictly better than a site that fetches text and just inserts it into the DOM. Also, it seems like CSP or extensions could still hook into this API, maybe not as early as before. For example, CSP would still know the URL of the resource that had been loaded as a script / stylesheet. While it wouldn't be able to block the loading, it could block the document from being turned into a script or stylesheet element. One could also imagine a flag passed to fetch saying "fetch this document as if it were the src of a script tag". Perhaps that flag would be mandatory for one to use the asScript API. On Tue, Jul 22, 2014 at 11:34 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote: > On 7/22/14, 2:01 PM, Ben Maurer wrote: > >> One advantage of doing this is that if there is some use case a site has >> that isn't met by the dependency model they can still manually separate >> the >> fetch of an object from its insertion into the DOM. >> > > One issue worth considering here: there are various situations (CSP, > extension) in which a browser would like to know what sort of resource is > being loaded, or more precisely how it will be consumed, before loading it. > > From that point of view, adding a way to customize fetch paramaters on > <link rel="stylesheet"> or some other mechanism that tells the UA up front > what is being fetched is vastly preferable to taking an existing fetch and > synthesizing a stylesheet from it, because it provides a lot more control > to the user agent and user's extensions. > > -Boris >
Received on Tuesday, 22 July 2014 18:58:05 UTC