On Fri, Jan 31, 2014 at 1:13 PM, Martin Georgiev <[email protected]> wrote: > On Fri, Jan 31, 2014 at 2:58 PM, Andrew Grieve <[email protected]> wrote: >> Ha! Well that's pretty clear. :) I don't think having JS generate it is a >> good idea then. > > It is not. You as an app developer do not control who puts where their JS. >
Remember, we're not App Developers, we're framework developers. Our users are app developers, usually novice ones who know nothing about security, and do stupid things like include random JS from anywhere on the web. These are the same people who do really stupid things like publish apps with practically no whitelist. This exercise is about adding a blade guard to our circular saw. Our users can still cut their hands off by being stupid, but it should be obvious that's what they're doing.
