[whatwg] XML data islands related question
Jukka K. Korpela
jkorpela at cs.tut.fi
Thu Aug 8 07:01:25 PDT 2013
2013-08-08 9:13, Ian Hickson wrote:
> XHR uses the same underlying logic as <img src=""> and <script src="">. If
> you're able to conjur a file up for <img src=""> or <script src="">, then
> I don't see why you wouldn't be able to conjur it up for XHR.
When a local HTML file is opened in a browser and it accesses local
files, with simple relative URLs like "foo.png" or "bar.js", <img
src=""> and <script src=""> do not cause HTTP requests of any kind.
> Could you
> elaborate on exactly what you mean by "truly local HTML5 application"?
At the simplest case, it is a set of files (HTML, CSS, JavaScript, image
files), and launching the application means opening the HTML file in a
browser, or in a sufficiently browser-like program. Conceptually, this
would work even if the Internet didn’t exist. In practice, such
applications are often distributed via web servers, and they may have
URLs, but they can also be distributed on different media offline.
(The issue is also relevant to applications that are not completely
local and offline but may use HTTP connections for various purposes. For
them, the point is that HTTP requests should not be done in vain, e.g.
for a large static data file.)
So the question is: if I can use images and scripts in separate files in
that setup, accessed directly as local files by the browser (or alike),
why can’t I do the same for plain text, CSV, or XML data? If there is a
security risk, then surely it must be bigger for <script> that refers to
a JavaScript file via src=... than for <script> that refers to a plain
text file via src=... Yet the latter is disallowed. Whatever the reasons
might be, I don’t think specifications should declare it as prohibited,
though they can warn that implementations may pose such restrictions.
Yucca
More information about the whatwg
mailing list