On 7/22/14, 2:57 PM, Ben Maurer wrote:
Nothing prevents a website from downloading content via fetch/XHR and
simply inserting that text into the DOM.
Yes, I know that. But we're trying to develop a better API so sites
won't need/want to do that anymore, right? All I'm saying is that we
should make the new API play nicer with CSP and extensions than the "XHR
and stick it in" approach does. This won't stop _malicious_ sites,
obviously, but it'll help with user control for normal sites who
actually want to play nice with the user's settings.
This API seems strictly
better than a site that fetches text and just inserts it into the DOM.
Sure.
Also, it seems like CSP or extensions could still hook into this API,
maybe not as early as before. For example, CSP would still know the URL
of the resource that had been loaded as a script / stylesheet. While it
wouldn't be able to block the loading, it could block the document from
being turned into a script or stylesheet element.
Again, sure.
One could also imagine a flag passed to fetch saying "fetch this
document as if it were the src of a script tag".
Right, exactly.
That would actually simplify things for UAs as well; for example they
have to do different kinds of sniffing on different request types, so
knowing ahead of time what sort of thing you're requesting is quite helpful.
-Boris
