W3C home > Mailing lists > Public > www-html@w3.org > January 2003

Re: client-side include

From: Andrew Clover <and@doxdesk.com>
Date: Mon, 6 Jan 2003 11:56:18 +0000
To: www-html@w3.org
Message-ID: <20030106115618.GA20389@doxdesk.com>

Jonathan Chetwynd <j.chetwynd@btinternet.com> wrote:

> why was this not in the original spec?

It is inelegant and breaks many useful properties of HTML. The external
files referenced by such a tag would not be valid HTML (since they could
not include <html>, <body>, etc.). Both the external fragments and the
including file would become unvalidatable. The element that did the
inclusion itself would become inaccessible to the DOM.

There are also extreme security risks, if one site can include arbitrary
content from another. <iframe> and <object> have already provoked many
security holes due to bad cross-domain policy implementation in browsers;
having the actual content included directly in the document object model
rather than using a separate 'window' object would make it much more difficult
(impossible?) to implement a same-origin-policy, resulting in massive
cross-site security problems.

> where we are now, and how something similar might be achieved?

Use server-side includes.

Why should the client browser be expected to do your work for you?

Andrew Clover
Received on Monday, 6 January 2003 06:58:59 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 30 April 2020 16:20:48 UTC