On Sun, Aug 17, 2014 at 2:52 PM, John Barton <[email protected]> wrote:
> > > > On Sun, Aug 17, 2014 at 11:14 AM, Rick Waldron <[email protected]> > wrote: > >> >> >> On Sunday, August 17, 2014, John Barton <[email protected]> wrote: >> >>> >>> >>> >>> On Sun, Aug 17, 2014 at 10:08 AM, Brendan Eich <[email protected]> >>> wrote: >>> >>>> John Barton wrote: >>>> >>>> On Sat, Aug 16, 2014 at 10:22 AM, Brendan Eich <[email protected] >>>>> <mailto:[email protected]>> wrote: >>>>> >>>>> Yes -- inline scripts, like document.write, the drive-in, disco, >>>>> and Fortran, will never die. >>>>> >>>>> >>>>> More things I don't suggest investing effort in. >>>>> >>>> >>>> Seriously, inline scripts were and are important, both for avoiding >>>> extra requests (even with HTTP++ these cost) and, more important, for >>>> easiest and smoothest beginner/first-script on ramp. >>>> >>>> I have no idea why anyone would seriously contend otherwise. Latency >>>> still matters; tools didn't replace hand-authoring. These are not >>>> subjective matters. >>> >>> >>> I agree, but the forces behind CSP control the servers. You'll have to >>> convince them. >>> >> >> Forgive me, but I don't follow this—could you elaborate? It would be >> appreciated. >> > > The argument goes like this: we all want secure Web pages, we can't secure > Web pages that allow inline scripts, therefore we have to ban inline > scripts. > > If the argument is wrong, ignore my advice, CSP will die. I personally > think that would be great. > > If the argument is correct, then people who run servers and thus are > liable for security failures will have to choose between security and "easiest > and smoothest beginner/first-script on ramp". In my opinion, security will > win this contest every time. Server operators are under a lot of pressure > to improve security so they are likely to adopt CSP requirements. > > Of course I could be wrong, that's the thing about advice. > Thanks John, I disagree, but I still appreciate your time in explaining. Rick
_______________________________________________ es-discuss mailing list [email protected] https://mail.mozilla.org/listinfo/es-discuss
