On Sun, Aug 17, 2014 at 11:14 AM, Rick Waldron <waldron.r...@gmail.com> wrote:
> > > On Sunday, August 17, 2014, John Barton <johnjbar...@google.com> wrote: > >> >> >> >> On Sun, Aug 17, 2014 at 10:08 AM, Brendan Eich <bren...@mozilla.org> >> wrote: >> >>> John Barton wrote: >>> >>> On Sat, Aug 16, 2014 at 10:22 AM, Brendan Eich <bren...@mozilla.org >>>> <mailto:bren...@mozilla.org>> wrote: >>>> >>>> Yes -- inline scripts, like document.write, the drive-in, disco, >>>> and Fortran, will never die. >>>> >>>> >>>> More things I don't suggest investing effort in. >>>> >>> >>> Seriously, inline scripts were and are important, both for avoiding >>> extra requests (even with HTTP++ these cost) and, more important, for >>> easiest and smoothest beginner/first-script on ramp. >>> >>> I have no idea why anyone would seriously contend otherwise. Latency >>> still matters; tools didn't replace hand-authoring. These are not >>> subjective matters. >> >> >> I agree, but the forces behind CSP control the servers. You'll have to >> convince them. >> > > Forgive me, but I don't follow this—could you elaborate? It would be > appreciated. > The argument goes like this: we all want secure Web pages, we can't secure Web pages that allow inline scripts, therefore we have to ban inline scripts. If the argument is wrong, ignore my advice, CSP will die. I personally think that would be great. If the argument is correct, then people who run servers and thus are liable for security failures will have to choose between security and "easiest and smoothest beginner/first-script on ramp". In my opinion, security will win this contest every time. Server operators are under a lot of pressure to improve security so they are likely to adopt CSP requirements. Of course I could be wrong, that's the thing about advice. HTH, jjb
_______________________________________________ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss