Shelley Powers wrote:
I found the WhatWG discussion, if you can call it that.
http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2011-June/032023.html
What are the procedures in place to control change during Last Call?
Shelley
For what it is worth, I don't think the content of the html document is
the place for security restrictions.
It is better to do it via something like FireFox's "Content Security
Policy" proposal, though I'm not sure if it currently covers ensuring
mime types of served object match the object description.
http://people.mozilla.com/~bsterne/content-security-policy/
