On 2013-09-17 02:52, Boris Zbarsky wrote:
On 9/16/13 8:06 PM, Adam Kowalczyk wrote:
and it displays content from many third-party sources on a
single page
You probably want iframes for that....
I'm using a resource:// URI loaded in a browser with type="content", so
the content is unprivileged and untrusted. Putting each feed entry into
its own iframe would probably carry a significant performance penalty.
Websites don't have the means to do it safely, though...
I haven't seen anyone address the arguably most important question: is
the feature
useful for the web at large?
It's not if we're the only one who ever supports it...
Alright then, *would* be useful if supported more widely, is what I
should have said.
Perhaps we should improve our
implementation and push for its adoption
The other UAs have flat our refused to ever implement something like
this. I can understand why. I wouldn't implement it in a new UA either
(e.g. servo).
If there's no hope for getting traction with other vendors, then it
pretty much settles it. But what were their motivations? It it was lack
of good use cases, then see below.
In principle, functionality provided by xml:base seems useful for web
applications that deal with third-party content.
I think using seamless/sandboxed iframes is the right way to deal with
third-party content. Certainly pulling in untrusted third-party content
directly is a security hole.
Unless something like Content Security Policy is implemented, which
would make it possible to inject untrusted content without XSS risks,
thus making the above use case more legitimate.
- Adam
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
