- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Tue, 22 Jul 2014 15:03:29 -0400
- To: Ben Maurer <ben.maurer@gmail.com>
- Cc: whatwg@lists.whatwg.org
On 7/22/14, 2:57 PM, Ben Maurer wrote: > Nothing prevents a website from downloading content via fetch/XHR and > simply inserting that text into the DOM. Yes, I know that. But we're trying to develop a better API so sites won't need/want to do that anymore, right? All I'm saying is that we should make the new API play nicer with CSP and extensions than the "XHR and stick it in" approach does. This won't stop _malicious_ sites, obviously, but it'll help with user control for normal sites who actually want to play nice with the user's settings. > This API seems strictly > better than a site that fetches text and just inserts it into the DOM. Sure. > Also, it seems like CSP or extensions could still hook into this API, > maybe not as early as before. For example, CSP would still know the URL > of the resource that had been loaded as a script / stylesheet. While it > wouldn't be able to block the loading, it could block the document from > being turned into a script or stylesheet element. Again, sure. > One could also imagine a flag passed to fetch saying "fetch this > document as if it were the src of a script tag". Right, exactly. That would actually simplify things for UAs as well; for example they have to do different kinds of sniffing on different request types, so knowing ahead of time what sort of thing you're requesting is quite helpful. -Boris
Received on Tuesday, 22 July 2014 19:03:56 UTC