On Sun, Aug 17, 2014 at 8:52 PM, John Barton johnjbar...@google.com wrote:
The argument goes like this: we all want secure Web pages, we can't secure
Web pages that allow inline scripts, therefore we have to ban inline
scripts.
If the argument is wrong, ignore my advice, CSP will die. I
On Mon, Aug 18, 2014 at 12:57 AM, Anne van Kesteren ann...@annevk.nl
wrote:
On Sun, Aug 17, 2014 at 8:52 PM, John Barton johnjbar...@google.com
wrote:
The argument goes like this: we all want secure Web pages, we can't
secure
Web pages that allow inline scripts, therefore we have to ban
On Mon, Aug 18, 2014 at 4:57 PM, John Barton johnjbar...@google.com wrote:
So you are claiming that CSP no longer restricts inline scripts and that the
various online docs are incorrect? Or only that the server set the
unsafe-inline value to opt out of the restriction?
Neither. See
On Mon, Aug 18, 2014 at 8:02 AM, Anne van Kesteren ann...@annevk.nl wrote:
On Mon, Aug 18, 2014 at 4:57 PM, John Barton johnjbar...@google.com
wrote:
So you are claiming that CSP no longer restricts inline scripts and that
the
various online docs are incorrect? Or only that the server
John, you can also use SPDY/HTTP2.0 PUSH to send sticky code alongside with the
original HTML that will mimic the use of inline scripts but behaves like an
external script. Essentially, you will have: `script
src=/my-sticky-data-and-initialization-per-page.js/script`, while that
script is
Sounds promising, but the key use case cited by Brendan is ease-of-use so
it's important that all of this happens by default as far as Web devs are
concerned.
On Mon, Aug 18, 2014 at 11:23 AM, caridy car...@gmail.com wrote:
John, you can also use SPDY/HTTP2.0 PUSH to send sticky code alongside
On Sat, Aug 16, 2014 at 10:22 AM, Brendan Eich bren...@mozilla.org wrote:
Yes -- inline scripts, like document.write, the drive-in, disco, and
Fortran, will never die.
More things I don't suggest investing effort in.
/be
Anne van Kesteren wrote:
On Sat, Aug 16, 2014 at 2:46 AM, John
John Barton wrote:
On Sat, Aug 16, 2014 at 10:22 AM, Brendan Eich bren...@mozilla.org
mailto:bren...@mozilla.org wrote:
Yes -- inline scripts, like document.write, the drive-in, disco,
and Fortran, will never die.
More things I don't suggest investing effort in.
Seriously, inline
On Sun, Aug 17, 2014 at 10:08 AM, Brendan Eich bren...@mozilla.org wrote:
John Barton wrote:
On Sat, Aug 16, 2014 at 10:22 AM, Brendan Eich bren...@mozilla.org
mailto:bren...@mozilla.org wrote:
Yes -- inline scripts, like document.write, the drive-in, disco,
and Fortran, will
On Sunday, August 17, 2014, John Barton johnjbar...@google.com wrote:
On Sun, Aug 17, 2014 at 10:08 AM, Brendan Eich bren...@mozilla.org
javascript:_e(%7B%7D,'cvml','bren...@mozilla.org'); wrote:
John Barton wrote:
On Sat, Aug 16, 2014 at 10:22 AM, Brendan Eich bren...@mozilla.org
On Sun, Aug 17, 2014 at 11:14 AM, Rick Waldron waldron.r...@gmail.com
wrote:
On Sunday, August 17, 2014, John Barton johnjbar...@google.com wrote:
On Sun, Aug 17, 2014 at 10:08 AM, Brendan Eich bren...@mozilla.org
wrote:
John Barton wrote:
On Sat, Aug 16, 2014 at 10:22 AM, Brendan
On Sun, Aug 17, 2014 at 2:52 PM, John Barton johnjbar...@google.com wrote:
On Sun, Aug 17, 2014 at 11:14 AM, Rick Waldron waldron.r...@gmail.com
wrote:
On Sunday, August 17, 2014, John Barton johnjbar...@google.com wrote:
On Sun, Aug 17, 2014 at 10:08 AM, Brendan Eich
John Barton wrote:
The argument goes like this: we all want secure Web pages, we can't
secure Web pages that allow inline scripts, therefore we have to ban
inline scripts.
Nice syllogism but for the minor premise. Evidence? Links? Proof would
be even better, but we're far afield from logic
On Sat, Aug 16, 2014 at 2:46 AM, John Barton johnjbar...@google.com wrote:
As we noted in another thread, Web devs no longer control servers. And
servers no longer allow inline script (for the most part going forward). So
I don't see this feature as worth investing effort in. (I don't like it
Yes -- inline scripts, like document.write, the drive-in, disco, and
Fortran, will never die.
/be
Anne van Kesteren wrote:
On Sat, Aug 16, 2014 at 2:46 AM, John Bartonjohnjbar...@google.com wrote:
As we noted in another thread, Web devs no longer control servers. And
servers no longer
Suppose you have an HTML import foo.html that declares two modules:
script type=module id=a ... /script
script type=module id=b ... /script
How should they refer to each other? For example, if module id=b wants to
import module id=a? I suppose the logical way is like this:
import #a;
On Fri, Aug 15, 2014 at 3:06 PM, Ian Hickson i...@hixie.ch wrote:
Suppose you have an HTML import foo.html that declares two modules:
script type=module id=a ... /script
script type=module id=b ... /script
As we noted in another thread, Web devs no longer control servers. And
servers
17 matches
Mail list logo