[whatwg] Allow trailing slash in always-empty HTML5 elements?

Elliotte Harold elharo at metalab.unc.edu
Mon Dec 4 07:03:43 PST 2006


Mike Schinkel wrote:

> Hmm. I believe the http standard states that clients are not suppose to
> override a content-type given by a server. For example, a web page showing a
> script virus shouldn't be identified by the client as a script and executed;
> the client should instead just display it as a web page like the server told
> it to.  Or am I missing your context?


Turn that example around. Suppose the web server says the document is a 
script that should be executed. Should the client execute it?

Of course not. Security demands that the client not execute the script 
in both cases: when the server says it is a script and when the server 
says it isn't.

Security requires that the client be in control of decisions about what 
the client does.

There are also many good nonsecurity reasons for putting the client in 
control.

-- 
Elliotte Rusty Harold  elharo at metalab.unc.edu
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/



More information about the whatwg mailing list