Whenever this idea has come up (including the current /javascript implementation) I have always thought it was a bad idea, especially for JavaScript. Exposing more than absolutely needed for each website at minimum is an information leakage. With JS or CSS it might lead to security issues in the web apps on the same domain. Instead, the scripts used for setting up vhosts should reference the needed CSS/JS/etc dependencies using the web server or framework configuration. In addition, you can never know which URLs a specific web app, vhost or instance of a web app will use at runtime, so unilaterally taking over a generic path like /javascript, /assets, /_assets or /_sysassets is a recipe for annoying our users (social contract says no).
I also think web fonts (and other recent browser attack-surface bloat) are an insane idea for security. They also lead to sites doing stupid things like putting icons into the PUA of web fonts. They are yet another reason why I'm wishing I could leave the web. </rant> -- bye, pabs http://wiki.debian.org/PaulWise _______________________________________________ Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel