[whatwg] <include> element
jonas at sicking.cc
Fri Apr 27 03:36:34 PDT 2007
Martin Atkins wrote:
> Christian Schmidt wrote:
>> In practice, the result effect is often achieved by wrapping your
>> include file in a document.write() and including this using script a
>> <script src="...">. However, this makes it harder to write these
>> includes by hand (you have to escape certain characters, ' " \ \n \r
>> \t), and debugging also gets more difficult.
> This last point made me think of a related issue:
> When you use the above technique, the included script runs in the
> security context of the including page, and this technique therefore
> requires complete trust of the included document.
> Would documents included via <include> run in the security context of
> the including page, as with the script technique, or would they run in
> the context of the included document, as with iframes?
> Personally I favor the latter, but I wonder if this impact's anyone's
They would run in the context of the included page, just like an iframe.
The processing of <include> is exactly that of <iframe> the only
difference is in the rendering.
In fact, for security reasons we might end up having to use <iframe
type="include"> or some such rather than <include>
This is all detailed in my original proposal.
More information about the whatwg