Importing modules inside HTML imports
johnjbarton at google.com
Sun Aug 17 11:52:36 PDT 2014
On Sun, Aug 17, 2014 at 11:14 AM, Rick Waldron <waldron.rick at gmail.com>
> On Sunday, August 17, 2014, John Barton <johnjbarton at google.com> wrote:
>> On Sun, Aug 17, 2014 at 10:08 AM, Brendan Eich <brendan at mozilla.org>
>>> John Barton wrote:
>>> On Sat, Aug 16, 2014 at 10:22 AM, Brendan Eich <brendan at mozilla.org
>>>> <mailto:brendan at mozilla.org>> wrote:
>>>> Yes -- inline scripts, like document.write, the drive-in, disco,
>>>> and Fortran, will never die.
>>>> More things I don't suggest investing effort in.
>>> Seriously, inline scripts were and are important, both for avoiding
>>> extra requests (even with HTTP++ these cost) and, more important, for
>>> easiest and smoothest beginner/first-script on ramp.
>>> I have no idea why anyone would seriously contend otherwise. Latency
>>> still matters; tools didn't replace hand-authoring. These are not
>>> subjective matters.
>> I agree, but the forces behind CSP control the servers. You'll have to
>> convince them.
> Forgive me, but I don't follow this—could you elaborate? It would be
The argument goes like this: we all want secure Web pages, we can't secure
Web pages that allow inline scripts, therefore we have to ban inline
If the argument is wrong, ignore my advice, CSP will die. I personally
think that would be great.
If the argument is correct, then people who run servers and thus are liable
for security failures will have to choose between security and "easiest and
smoothest beginner/first-script on ramp". In my opinion, security will win
this contest every time. Server operators are under a lot of pressure to
improve security so they are likely to adopt CSP requirements.
Of course I could be wrong, that's the thing about advice.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the es-discuss