[whatwg] Wasn't there going to be a strict spec?

David Bruant bruant.d at gmail.com
Fri Aug 10 17:25:24 PDT 2012


Le 10/08/2012 20:06, Erik Reppen a écrit :
> Sorry if this double-posted but I think I forgot to CC the list.
>
> Browser vendor politics I can understand but if we're going to talk about
> what "history shows" about people like myself suggesting features we can't
> actually support I'd like to see some studies that contradict the
> experiences I've had as a web ui developer for the last five years.
>
> Everybody seems on board with providing a JavaScript strict mode. How is
> this any different?
JavaScript strict mode enables to make a JavaScript program secure 
(there is some additional work to do, but you can do it yourself as a 
programmer) while it's almost impossible to write a secure program in 
non-strict JavaScript because of scope-violating (indirect) eval. 
JavaScript strict mode is almost a different language with that regard.
The ability to write securable JavaScript required an intervention at 
the language level.

HTML has no such thing to win with a strict mode as far as I know.
Also, JS strict mode deals with runtime and not syntax (with statement 
aside). That's far different from what could be expected from an HTML 
strict mode.

To some extent, CSP ("Content Security Policy", about to reach 
Recommandation stage soon) is your "HTML strict mode" if you care about 
security.

David



More information about the whatwg mailing list