Bill McCormick wrote: >Gertjan Klein wrote:
>>AFAICS, the *only* difference >> between csp:include and <--#include --> is (or should be) that the >> former does a runtime inclusion, and the latter a compile-time one. > >This is not exactly the case in my opinion. As I stated earlier the one >is a runtime inclusion and therefore logically must/should be another >CSP page. Why? Kevin, for example, uses it to include fragments of JavaScript. Another possible use is including customized CSS. In general, anything that one needs to include in more than one CSP page, and that needs to be easily changed, would qualify for csp:include. I would call neither of the above two examples a "CSP page". (Again, I find the use of the phrase "CSP page" confusing in this context. In my view, a CSP *page* is the whole thing, as served to e.g. the browser, and a mere fragment of that is -- well, a fragment.) >The Serve Files option is dangerous and should be off as a >general rule. I agree with Kevin that changing the behavior or >tightening it so late in the game is not playing nice and should be >documented but this flag is even worse in my mind. Agreed. >> (As to the subject of parameters: both include versions support COS >> expression substitution in the usual form: #(COS)#. You may be able to >> use that to your advantage -- unless ISC decides to change that, >> too...) Are there any differences I'm not aware of, that refute my statement that the only difference is compile-time/runtime substitution? (BTW, *if* that is the only difference, a simple flag attribute in csp:include could have made <--#include --> redundant.) Gertjan. -- Gertjan Klein
