Importing modules inside HTML imports

Rick Waldron waldron.rick at gmail.com
Sun Aug 17 13:53:48 PDT 2014


On Sun, Aug 17, 2014 at 2:52 PM, John Barton <johnjbarton at google.com> wrote:

>
>
>
> On Sun, Aug 17, 2014 at 11:14 AM, Rick Waldron <waldron.rick at gmail.com>
> wrote:
>
>>
>>
>> On Sunday, August 17, 2014, John Barton <johnjbarton at google.com> wrote:
>>
>>>
>>>
>>>
>>> On Sun, Aug 17, 2014 at 10:08 AM, Brendan Eich <brendan at mozilla.org>
>>> wrote:
>>>
>>>> John Barton wrote:
>>>>
>>>>  On Sat, Aug 16, 2014 at 10:22 AM, Brendan Eich <brendan at mozilla.org
>>>>> <mailto:brendan at mozilla.org>> wrote:
>>>>>
>>>>>     Yes -- inline scripts, like document.write, the drive-in, disco,
>>>>>     and Fortran, will never die.
>>>>>
>>>>>
>>>>> More things I don't suggest investing effort in.
>>>>>
>>>>
>>>> Seriously, inline scripts were and are important, both for avoiding
>>>> extra requests (even with HTTP++ these cost) and, more important, for
>>>> easiest and smoothest beginner/first-script on ramp.
>>>>
>>>> I have no idea why anyone would seriously contend otherwise. Latency
>>>> still matters; tools didn't replace hand-authoring. These are not
>>>> subjective matters.
>>>
>>>
>>> I agree, but the forces behind CSP control the servers.  You'll have to
>>> convince them.
>>>
>>
>> Forgive me, but I don't follow this—could you elaborate? It would be
>> appreciated.
>>
>
> The argument goes like this: we all want secure Web pages, we can't secure
> Web pages that allow inline scripts, therefore we have to ban inline
> scripts.
>
> If the argument is wrong, ignore my advice, CSP will die.  I personally
> think that would be great.
>
> If the argument is correct, then people who run servers and thus are
> liable for security failures will have to choose between security and "easiest
> and smoothest beginner/first-script on ramp". In my opinion, security will
> win this contest every time.  Server operators are under a lot of pressure
> to improve security so they are likely to adopt CSP requirements.
>
> Of course I could be wrong, that's the thing about advice.
>

Thanks John, I disagree, but I still appreciate your time in explaining.

Rick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20140817/68594eb4/attachment.html>


More information about the es-discuss mailing list