On Tue, May 14, 2013 at 2:21 PM, Simon Pieters <[email protected]> wrote:
> That seems to be an argument based on aesthetics. That's worth considering, > of course, but I think is a relatively weak argument. In particular I care > about the first bullet point above. <link> is not capable of executing > script from an external resource today. What are the implications if it > suddenly gains that ability? Given that WebAppSec peeps suggested that CSP treats <link rel=import> as script-src, I am pretty sure we're okay here. Are there any other things that we should worry about? There's one more ditty that seems valuable: HTML Imports scripts-blocking behavior is much closer to how <link rel=stylesheet> works (https://dvcs.w3.org/hg/webcomponents/raw-file/tip/spec/imports/index.html#dfn-import-ready-flag and thereabouts) :DG<
