Re: [whatwg] Fetch Objects and scripts/stylesheets from ??? on 2014-07-22 (public-whatwg-archive@w3.org from July 2014)

From: ??? <willchan@chromium.org>
Date: Tue, 22 Jul 2014 12:13:19 -0700
To: Boris Zbarsky <bzbarsky@mit.edu>
Cc: "whatwg@lists.whatwg.org" <whatwg@lists.whatwg.org>, Ben Maurer <ben.maurer@gmail.com>
Message-ID: <CAA4WUYjD0=a-cBchH_N=CVJKL_1dG2ct_uOcC8Ps=mHb4KHyMQ@mail.gmail.com>

On Tue, Jul 22, 2014 at 12:03 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote:

> On 7/22/14, 2:57 PM, Ben Maurer wrote:
>
>> Nothing prevents a website from downloading content via fetch/XHR and
>> simply inserting that text into the DOM.
>>
>
> Yes, I know that.  But we're trying to develop a better API so sites won't
> need/want to do that anymore, right?  All I'm saying is that we should make
> the new API play nicer with CSP and extensions than the "XHR and stick it
> in" approach does.  This won't stop _malicious_ sites, obviously, but it'll
> help with user control for normal sites who actually want to play nice with
> the user's settings.


+1

Also, I'd like to note that, at least for now without a better
prioritization system (I know you'd like to do client<=>server prior
knowledge based prioritization mechanism, smuggling prioritization metadata
via opaque-to-the-UA HTTP headers, using the headers attribute), browsers
rely on resource type as a key input to their prioritization heuristics.
Gmail and G+ both found that this interacted poorly with their XHR based
resource loading [1] [2] since XHRs hide the true resource type.


>
>
>  This API seems strictly
>> better than a site that fetches text and just inserts it into the DOM.
>>
>
> Sure.
>
>
>  Also, it seems like CSP or extensions could still hook into this API,
>> maybe not as early as before. For example, CSP would still know the URL
>> of the resource that had been loaded as a script / stylesheet. While it
>> wouldn't be able to block the loading, it could block the document from
>> being turned into a script or stylesheet element.
>>
>
> Again, sure.
>
>
>  One could also imagine a flag passed to fetch saying "fetch this
>> document as if it were the src of a script tag".
>>
>
> Right, exactly.
>
> That would actually simplify things for UAs as well; for example they have
> to do different kinds of sniffing on different request types, so knowing
> ahead of time what sort of thing you're requesting is quite helpful.
>
> -Boris
>

[1] - https://insouciant.org/tech/spdy-prioritization-case-study-gmail/
[2] - https://plus.google.com/+ShubhiePanicker/posts/Uw87yxQFCfY

Received on Tuesday, 22 July 2014 19:13:44 UTC