Le 19/02/2012 22:57, Anne van Kesteren a écrit : > On Sun, 19 Feb 2012 21:29:48 +0100, David Bruant <bruan...@gmail.com> > wrote: >> I think a CSP-like solution should be explored. > > FWIW, the feedback on CORS (CSP-like) thus far has been that it's > quite hard to set up custom headers. Do you have reference on this feedback? Under which circumstances is it hard? One major annoyance I see in HTTP headers is that I have never heard of an hosting service allowing to choose the HTTP your services is served with and that's problematic. <meta http-equiv> is of some help to provide the feature without having control over the HTTP response, but in some cases, we want the HTTP header to mean something that is document-wise and a <meta> can be too late.
> So for something as commonly used as JavaScript I'm not sure we'd want > to require that. And although more difficult, if we want <meta> it can > be made to work, it's just more complicated than simply defining a > name and a value. But maybe it should be something simpler, e.g. > > <html unicode> > > in the top-level browsing context's document. I'm not sure it solves anything since a script could be the first thing an HTML renderer comes across, even before a doctype, even before an <html> starting tag. My guess would be that the HTML spec defines that this script should be executed even if the "<script>" opening tag are the first bytes of the document. David _______________________________________________ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss