Re: Importing modules inside HTML imports

Sun, 17 Aug 2014 12:01:45 -0700 

Le 17/08/2014 20:52, John Barton a écrit :



On Sun, Aug 17, 2014 at 11:14 AM, Rick Waldron <[email protected] 
<mailto:[email protected]>> wrote:



    On Sunday, August 17, 2014, John Barton <[email protected]
    <mailto:[email protected]>> wrote:


        On Sun, Aug 17, 2014 at 10:08 AM, Brendan Eich
        <[email protected]> wrote:

            John Barton wrote:

                On Sat, Aug 16, 2014 at 10:22 AM, Brendan Eich
                <[email protected] <mailto:[email protected]>> wrote:

                    Yes -- inline scripts, like document.write, the
                drive-in, disco,
                    and Fortran, will never die.


                More things I don't suggest investing effort in.


            Seriously, inline scripts were and are important, both for
            avoiding extra requests (even with HTTP++ these cost) and,
            more important, for easiest and smoothest
            beginner/first-script on ramp.

            I have no idea why anyone would seriously contend
            otherwise. Latency still matters; tools didn't replace
            hand-authoring. These are not subjective matters.


        I agree, but the forces behind CSP control the servers.
         You'll have to convince them.


    Forgive me, but I don't follow this—could you elaborate? It would
    be appreciated.



The argument goes like this: we all want secure Web pages, we can't 
secure Web pages that allow inline scripts

How so? I can write secure web pages that allow inline scripts.

As far as I'm concerned, unsafe-inline is part of what I consider my 
default CSP policy.
Maybe we need to reconsider our server-side pratices that mostly consist 
of concatenating strings, though. I'm personally exploring generating a 
DOM on the server-side (with .textContent, etc.)



Assuming control of the server-side, can you give an example of an 
application where the page has inline scripts and cannot be secure?



therefore we have to ban inline scripts.


If the argument is wrong, ignore my advice, CSP will die. I personally 
think that would be great.

CSP isn't only about inline scripts. It's mostly about whitelisting 
domains a page can load data from and send data to. That's extremely useful.


David

_______________________________________________
es-discuss mailing list
[email protected]
https://mail.mozilla.org/listinfo/es-discuss






















					Reply via email to