[whatwg] should we add beforeload/afterload events to the web platform?
Ian Hickson
ian at hixie.ch
Fri Feb 3 20:15:40 PST 2012
On Fri, 3 Feb 2012, Boris Zbarsky wrote:
> On 2/3/12 10:53 PM, Ian Hickson wrote:
> > Surely for the style sheets there's far less of a difficulty in
> > getting things right? I don't really understand what vulnerability
> > would be relevant here such that you'd need per-stylesheet control
> > over what was being imported.
>
> Hmm. I sort of assume that if you can control the styles you can really
> mess with the page, and probably get the user to do things the user
> doesn't really want to do. But maybe this is me overworrying?
No, I agree with you that if the author is using HTTP styles on their
HTTPS page that an attacker could screw with the page. But my point is
that fixing that is easy: just move the styles to HTTPS. In the case of
scripts it's not that easy because the scripts might be on third-party
servers, in complicated setups, etc. So one could see a situation in which
one might want (during a still-insecure transitions period) control over
the scripts on an individual basis, so that scripts that are known to no
longer be needed can be excluded even if they are still referenced
somewhere.
Adam might be able to comment more specifically on concrete examples of
thing kind of thing though in case I am missing some key point!
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list