[whatwg] Allow trailing slash in always-empty HTML5 elements?
Elliotte Harold
elharo at metalab.unc.edu
Mon Dec 4 07:03:43 PST 2006
Mike Schinkel wrote:
> Hmm. I believe the http standard states that clients are not suppose to
> override a content-type given by a server. For example, a web page showing a
> script virus shouldn't be identified by the client as a script and executed;
> the client should instead just display it as a web page like the server told
> it to. Or am I missing your context?
Turn that example around. Suppose the web server says the document is a
script that should be executed. Should the client execute it?
Of course not. Security demands that the client not execute the script
in both cases: when the server says it is a script and when the server
says it isn't.
Security requires that the client be in control of decisions about what
the client does.
There are also many good nonsecurity reasons for putting the client in
control.
--
Elliotte Rusty Harold elharo at metalab.unc.edu
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/
More information about the whatwg
mailing list