Importing modules inside HTML imports

David Bruant bruant.d at gmail.com
Sun Aug 17 12:01:15 PDT 2014


Le 17/08/2014 20:52, John Barton a écrit :
>
> On Sun, Aug 17, 2014 at 11:14 AM, Rick Waldron <waldron.rick at gmail.com 
> <mailto:waldron.rick at gmail.com>> wrote:
>
>
>     On Sunday, August 17, 2014, John Barton <johnjbarton at google.com
>     <mailto:johnjbarton at google.com>> wrote:
>
>
>         On Sun, Aug 17, 2014 at 10:08 AM, Brendan Eich
>         <brendan at mozilla.org> wrote:
>
>             John Barton wrote:
>
>                 On Sat, Aug 16, 2014 at 10:22 AM, Brendan Eich
>                 <brendan at mozilla.org <mailto:brendan at mozilla.org>> wrote:
>
>                     Yes -- inline scripts, like document.write, the
>                 drive-in, disco,
>                     and Fortran, will never die.
>
>
>                 More things I don't suggest investing effort in.
>
>
>             Seriously, inline scripts were and are important, both for
>             avoiding extra requests (even with HTTP++ these cost) and,
>             more important, for easiest and smoothest
>             beginner/first-script on ramp.
>
>             I have no idea why anyone would seriously contend
>             otherwise. Latency still matters; tools didn't replace
>             hand-authoring. These are not subjective matters.
>
>
>         I agree, but the forces behind CSP control the servers.
>          You'll have to convince them.
>
>
>     Forgive me, but I don't follow this—could you elaborate? It would
>     be appreciated.
>
>
> The argument goes like this: we all want secure Web pages, we can't 
> secure Web pages that allow inline scripts
How so? I can write secure web pages that allow inline scripts.
As far as I'm concerned, unsafe-inline is part of what I consider my 
default CSP policy.
Maybe we need to reconsider our server-side pratices that mostly consist 
of concatenating strings, though. I'm personally exploring generating a 
DOM on the server-side (with .textContent, etc.)

Assuming control of the server-side, can you give an example of an 
application where the page has inline scripts and cannot be secure?

> therefore we have to ban inline scripts.
>
> If the argument is wrong, ignore my advice, CSP will die. I personally 
> think that would be great.
CSP isn't only about inline scripts. It's mostly about whitelisting 
domains a page can load data from and send data to. That's extremely useful.

David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20140817/88b64761/attachment.html>


More information about the es-discuss mailing list