Martin Atkins wrote:
Christian Schmidt wrote:
In practice, the result effect is often achieved by wrapping your
include file in a document.write() and including this using script a
<script src="...">. However, this makes it harder to write these
includes by hand (you have to escape certain characters, ' " \ \n \r
\t), and debugging also gets more difficult.
This last point made me think of a related issue:
When you use the above technique, the included script runs in the
security context of the including page, and this technique therefore
requires complete trust of the included document.
Would documents included via <include> run in the security context of
the including page, as with the script technique, or would they run in
the context of the included document, as with iframes?
Personally I favor the latter, but I wonder if this impact's anyone's
use-cases?.
They would run in the context of the included page, just like an iframe.
The processing of <include> is exactly that of <iframe> the only
difference is in the rendering.
In fact, for security reasons we might end up having to use <iframe
type="include"> or some such rather than <include>
This is all detailed in my original proposal.
/ Jonas
