Symbols, Protocols, Frames, and Versioning

David Bruant bruant.d at gmail.com
Sat Oct 6 11:11:30 PDT 2012


Le 06/10/2012 19:52, Allen Wirfs-Brock a écrit :
> (...)
>
> Either of these use cases seem like something that should be easily
> accomplished, if you are defining the module loaders that set up the
> frames and control module loading into the frames.
True. That may be a good idea to think about it from this angle, I
totally agree.

> However, if you simply use HTML iframes then you are presumably using
> an implementation provided module loader that implements the
> cross-frame sharing rules defined by the html spec.  Can the first
> approach be accomplished today using iframes?
I guess not. There were some flaws in how HTML handles scripts, namely
(among others) unconditional execution of inline scripts and
unconditional execution of scripts whichever there source is. Both could
lead to XSS as we know.
Since the flaws couldn't be fixed at the content level, they've been
fixed at a lower-level (CSP). It might be where to find the solution.

Assuming every set of frame is a tree, maybe an HTML attribute could
define a script source which defines a module loader for how modules are
being imported in the iframe?

David


More information about the es-discuss mailing list