- From: Andrew Clover <and@doxdesk.com>
- Date: Mon, 6 Jan 2003 11:56:18 +0000
- To: www-html@w3.org
Jonathan Chetwynd <j.chetwynd@btinternet.com> wrote: > why was this not in the original spec? It is inelegant and breaks many useful properties of HTML. The external files referenced by such a tag would not be valid HTML (since they could not include <html>, <body>, etc.). Both the external fragments and the including file would become unvalidatable. The element that did the inclusion itself would become inaccessible to the DOM. There are also extreme security risks, if one site can include arbitrary content from another. <iframe> and <object> have already provoked many security holes due to bad cross-domain policy implementation in browsers; having the actual content included directly in the document object model rather than using a separate 'window' object would make it much more difficult (impossible?) to implement a same-origin-policy, resulting in massive cross-site security problems. > where we are now, and how something similar might be achieved? Use server-side includes. Why should the client browser be expected to do your work for you? -- Andrew Clover mailto:and@doxdesk.com http://www.doxdesk.com/
Received on Monday, 6 January 2003 06:58:59 UTC