[whatwg] should we add beforeload/afterload events to the web platform?
ian at hixie.ch
Thu Jun 7 14:26:02 PDT 2012
On Sat, 4 Feb 2012, Boris Zbarsky wrote:
> On 2/3/12 11:15 PM, Ian Hickson wrote:
> > I agree with you that if the author is using HTTP styles on their
> > HTTPS page that an attacker could screw with the page. But my point is
> > that fixing that is easy: just move the styles to HTTPS. In the case
> > of scripts it's not that easy because the scripts might be on
> > third-party servers
> Styles are also commonly found on third-party servers...
> > in complicated setups
Styles are not as generic as scripts. Styles are almost always very
specific to the site, so you have control over them. Scripts on the other
hand could be things like analytics, or be related to social widgets, or
who knows what else. (I'll grant that maybe some of those embed style
sheets which you might then want to enable, but I'd imagine most of them
would do that inside iframes, not directly in your page.)
The point being that while I could see wanting to control things
per-script (and I believe this is now specced out), I don't really see a
compellingly similar story for styles or for making this completely
Having said that, of course, if browser vendors implement it, I'll spec it...
(There were other e-mails on this thread but they did not seem to have any
actionable feedback on the spec so I have not included them here.)
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg