Re: Importing modules inside HTML imports

2014-08-17 Thread Brendan Eich 

John Barton wrote:
The argument goes like this: we all want secure Web pages, we can't 
secure Web pages that allow inline scripts, therefore we have to ban 
inline scripts.


Nice syllogism but for the minor premise. Evidence? Links? Proof would 
be even better, but we're far afield from logic or Math.


/be
___
es-discuss mailing list
es-discuss@mozilla.org
https://mail.mozilla.org/listinfo/es-discuss

Re: Importing modules inside HTML imports

2014-08-17 Thread Rick Waldron 
On Sun, Aug 17, 2014 at 2:52 PM, John Barton  wrote:

>
>
>
> On Sun, Aug 17, 2014 at 11:14 AM, Rick Waldron 
> wrote:
>
>>
>>
>> On Sunday, August 17, 2014, John Barton  wrote:
>>
>>>
>>>
>>>
>>> On Sun, Aug 17, 2014 at 10:08 AM, Brendan Eich 
>>> wrote:
>>>
 John Barton wrote:

  On Sat, Aug 16, 2014 at 10:22 AM, Brendan Eich  > wrote:
>
> Yes -- inline scripts, like document.write, the drive-in, disco,
> and Fortran, will never die.
>
>
> More things I don't suggest investing effort in.
>

 Seriously, inline scripts were and are important, both for avoiding
 extra requests (even with HTTP++ these cost) and, more important, for
 easiest and smoothest beginner/first-script on ramp.

 I have no idea why anyone would seriously contend otherwise. Latency
 still matters; tools didn't replace hand-authoring. These are not
 subjective matters.
>>>
>>>
>>> I agree, but the forces behind CSP control the servers.  You'll have to
>>> convince them.
>>>
>>
>> Forgive me, but I don't follow this—could you elaborate? It would be
>> appreciated.
>>
>
> The argument goes like this: we all want secure Web pages, we can't secure
> Web pages that allow inline scripts, therefore we have to ban inline
> scripts.
>
> If the argument is wrong, ignore my advice, CSP will die.  I personally
> think that would be great.
>
> If the argument is correct, then people who run servers and thus are
> liable for security failures will have to choose between security and "easiest
> and smoothest beginner/first-script on ramp". In my opinion, security will
> win this contest every time.  Server operators are under a lot of pressure
> to improve security so they are likely to adopt CSP requirements.
>
> Of course I could be wrong, that's the thing about advice.
>

Thanks John, I disagree, but I still appreciate your time in explaining.

Rick
___
es-discuss mailing list
es-discuss@mozilla.org
https://mail.mozilla.org/listinfo/es-discuss

Re: Importing modules inside HTML imports

2014-08-17 Thread David Bruant 

Le 17/08/2014 20:52, John Barton a écrit :


On Sun, Aug 17, 2014 at 11:14 AM, Rick Waldron > wrote:



On Sunday, August 17, 2014, John Barton mailto:johnjbar...@google.com>> wrote:


On Sun, Aug 17, 2014 at 10:08 AM, Brendan Eich
 wrote:

John Barton wrote:

On Sat, Aug 16, 2014 at 10:22 AM, Brendan Eich
mailto:bren...@mozilla.org>> wrote:

Yes -- inline scripts, like document.write, the
drive-in, disco,
and Fortran, will never die.


More things I don't suggest investing effort in.


Seriously, inline scripts were and are important, both for
avoiding extra requests (even with HTTP++ these cost) and,
more important, for easiest and smoothest
beginner/first-script on ramp.

I have no idea why anyone would seriously contend
otherwise. Latency still matters; tools didn't replace
hand-authoring. These are not subjective matters.


I agree, but the forces behind CSP control the servers.
 You'll have to convince them.


Forgive me, but I don't follow this—could you elaborate? It would
be appreciated.


The argument goes like this: we all want secure Web pages, we can't 
secure Web pages that allow inline scripts

How so? I can write secure web pages that allow inline scripts.
As far as I'm concerned, unsafe-inline is part of what I consider my 
default CSP policy.
Maybe we need to reconsider our server-side pratices that mostly consist 
of concatenating strings, though. I'm personally exploring generating a 
DOM on the server-side (with .textContent, etc.)


Assuming control of the server-side, can you give an example of an 
application where the page has inline scripts and cannot be secure?



therefore we have to ban inline scripts.

If the argument is wrong, ignore my advice, CSP will die. I personally 
think that would be great.
CSP isn't only about inline scripts. It's mostly about whitelisting 
domains a page can load data from and send data to. That's extremely useful.


David
___
es-discuss mailing list
es-discuss@mozilla.org
https://mail.mozilla.org/listinfo/es-discuss

Re: Importing modules inside HTML imports

2014-08-17 Thread John Barton 
On Sun, Aug 17, 2014 at 11:14 AM, Rick Waldron 
wrote:

>
>
> On Sunday, August 17, 2014, John Barton  wrote:
>
>>
>>
>>
>> On Sun, Aug 17, 2014 at 10:08 AM, Brendan Eich 
>> wrote:
>>
>>> John Barton wrote:
>>>
>>>  On Sat, Aug 16, 2014 at 10:22 AM, Brendan Eich >>> > wrote:

 Yes -- inline scripts, like document.write, the drive-in, disco,
 and Fortran, will never die.


 More things I don't suggest investing effort in.

>>>
>>> Seriously, inline scripts were and are important, both for avoiding
>>> extra requests (even with HTTP++ these cost) and, more important, for
>>> easiest and smoothest beginner/first-script on ramp.
>>>
>>> I have no idea why anyone would seriously contend otherwise. Latency
>>> still matters; tools didn't replace hand-authoring. These are not
>>> subjective matters.
>>
>>
>> I agree, but the forces behind CSP control the servers.  You'll have to
>> convince them.
>>
>
> Forgive me, but I don't follow this—could you elaborate? It would be
> appreciated.
>

The argument goes like this: we all want secure Web pages, we can't secure
Web pages that allow inline scripts, therefore we have to ban inline
scripts.

If the argument is wrong, ignore my advice, CSP will die.  I personally
think that would be great.

If the argument is correct, then people who run servers and thus are liable
for security failures will have to choose between security and "easiest and
smoothest beginner/first-script on ramp". In my opinion, security will win
this contest every time.  Server operators are under a lot of pressure to
improve security so they are likely to adopt CSP requirements.

Of course I could be wrong, that's the thing about advice.

HTH,
jjb
___
es-discuss mailing list
es-discuss@mozilla.org
https://mail.mozilla.org/listinfo/es-discuss

Re: Importing modules inside HTML imports

2014-08-17 Thread Brendan Eich 

Rick Waldron wrote:


I agree, but the forces behind CSP control the servers.  You'll
have to convince them.


Forgive me, but I don't follow this—could you elaborate? It would be 
appreciated.


Inside-Google baseball, and I'll believe it when I see it.

/be
___
es-discuss mailing list
es-discuss@mozilla.org
https://mail.mozilla.org/listinfo/es-discuss

Re: Importing modules inside HTML imports

2014-08-17 Thread Rick Waldron 
On Sunday, August 17, 2014, John Barton  wrote:

>
>
>
> On Sun, Aug 17, 2014 at 10:08 AM, Brendan Eich  > wrote:
>
>> John Barton wrote:
>>
>>  On Sat, Aug 16, 2014 at 10:22 AM, Brendan Eich >>  >> bren...@mozilla.org
>>> >> wrote:
>>>
>>> Yes -- inline scripts, like document.write, the drive-in, disco,
>>> and Fortran, will never die.
>>>
>>>
>>> More things I don't suggest investing effort in.
>>>
>>
>> Seriously, inline scripts were and are important, both for avoiding extra
>> requests (even with HTTP++ these cost) and, more important, for easiest and
>> smoothest beginner/first-script on ramp.
>>
>> I have no idea why anyone would seriously contend otherwise. Latency
>> still matters; tools didn't replace hand-authoring. These are not
>> subjective matters.
>
>
> I agree, but the forces behind CSP control the servers.  You'll have to
> convince them.
>

Forgive me, but I don't follow this—could you elaborate? It would be
appreciated.

Rick



>
>
>>
>>
>> /be
>>
>
>
___
es-discuss mailing list
es-discuss@mozilla.org
https://mail.mozilla.org/listinfo/es-discuss

Re: Importing modules inside HTML imports

2014-08-17 Thread John Barton 
On Sun, Aug 17, 2014 at 10:08 AM, Brendan Eich  wrote:

> John Barton wrote:
>
>  On Sat, Aug 16, 2014 at 10:22 AM, Brendan Eich > > wrote:
>>
>> Yes -- inline scripts, like document.write, the drive-in, disco,
>> and Fortran, will never die.
>>
>>
>> More things I don't suggest investing effort in.
>>
>
> Seriously, inline scripts were and are important, both for avoiding extra
> requests (even with HTTP++ these cost) and, more important, for easiest and
> smoothest beginner/first-script on ramp.
>
> I have no idea why anyone would seriously contend otherwise. Latency still
> matters; tools didn't replace hand-authoring. These are not subjective
> matters.


I agree, but the forces behind CSP control the servers.  You'll have to
convince them.


>
>
> /be
>
___
es-discuss mailing list
es-discuss@mozilla.org
https://mail.mozilla.org/listinfo/es-discuss

Re: Importing modules inside HTML imports

2014-08-17 Thread Brendan Eich 

John Barton wrote:
On Sat, Aug 16, 2014 at 10:22 AM, Brendan Eich > wrote:


Yes -- inline scripts, like document.write, the drive-in, disco,
and Fortran, will never die.


More things I don't suggest investing effort in.


Seriously, inline scripts were and are important, both for avoiding 
extra requests (even with HTTP++ these cost) and, more important, for 
easiest and smoothest beginner/first-script on ramp.


I have no idea why anyone would seriously contend otherwise. Latency 
still matters; tools didn't replace hand-authoring. These are not 
subjective matters.


/be
___
es-discuss mailing list
es-discuss@mozilla.org
https://mail.mozilla.org/listinfo/es-discuss

Re: Importing modules inside HTML imports

2014-08-17 Thread John Barton 
On Sat, Aug 16, 2014 at 10:22 AM, Brendan Eich  wrote:

> Yes -- inline scripts, like document.write, the drive-in, disco, and
> Fortran, will never die.


More things I don't suggest investing effort in.


>
>
> /be
>
>
> Anne van Kesteren wrote:
>
>> On Sat, Aug 16, 2014 at 2:46 AM, John Barton
>> wrote:
>>
>>> >  As we noted in another thread, Web devs no longer control servers. And
>>> >  servers no longer allow inline script (for the most part going
>>> forward). So
>>> >  I don't see this feature as worth investing effort in. (I don't like
>>> it
>>> >  either, but it is what it is).
>>>
>>
>> That doesn't ring true. CSP didn't, but does now based on feedback
>> that not having inline scripts was too painful. I very much doubt they
>> will go away anytime soon.
>>
>
___
es-discuss mailing list
es-discuss@mozilla.org
https://mail.mozilla.org/listinfo/es-discuss