Importing modules inside HTML imports
bruant.d at gmail.com
Sun Aug 17 12:01:15 PDT 2014
Le 17/08/2014 20:52, John Barton a écrit :
> On Sun, Aug 17, 2014 at 11:14 AM, Rick Waldron <waldron.rick at gmail.com
> <mailto:waldron.rick at gmail.com>> wrote:
> On Sunday, August 17, 2014, John Barton <johnjbarton at google.com
> <mailto:johnjbarton at google.com>> wrote:
> On Sun, Aug 17, 2014 at 10:08 AM, Brendan Eich
> <brendan at mozilla.org> wrote:
> John Barton wrote:
> On Sat, Aug 16, 2014 at 10:22 AM, Brendan Eich
> <brendan at mozilla.org <mailto:brendan at mozilla.org>> wrote:
> Yes -- inline scripts, like document.write, the
> drive-in, disco,
> and Fortran, will never die.
> More things I don't suggest investing effort in.
> Seriously, inline scripts were and are important, both for
> avoiding extra requests (even with HTTP++ these cost) and,
> more important, for easiest and smoothest
> beginner/first-script on ramp.
> I have no idea why anyone would seriously contend
> otherwise. Latency still matters; tools didn't replace
> hand-authoring. These are not subjective matters.
> I agree, but the forces behind CSP control the servers.
> You'll have to convince them.
> Forgive me, but I don't follow this—could you elaborate? It would
> be appreciated.
> The argument goes like this: we all want secure Web pages, we can't
> secure Web pages that allow inline scripts
How so? I can write secure web pages that allow inline scripts.
As far as I'm concerned, unsafe-inline is part of what I consider my
default CSP policy.
Maybe we need to reconsider our server-side pratices that mostly consist
of concatenating strings, though. I'm personally exploring generating a
DOM on the server-side (with .textContent, etc.)
Assuming control of the server-side, can you give an example of an
application where the page has inline scripts and cannot be secure?
> therefore we have to ban inline scripts.
> If the argument is wrong, ignore my advice, CSP will die. I personally
> think that would be great.
CSP isn't only about inline scripts. It's mostly about whitelisting
domains a page can load data from and send data to. That's extremely useful.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the es-discuss