-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allowing cases where document.write is "ok" #18
Comments
Perhaps it might be simpler in cases like this to just allow the |
I came here to file this issue, but I'd like to go further. Probably the most problematic aspect is the ability to https://developers.google.com/web/updates/2016/08/removing-document-write describes an intervention of parser-blocking scripts when a lot of conditions are met. Should we have a policy for only the parser-blocking behavior of |
That's what I was trying to define with:
|
@jakearchibald I see, glad to hear you were also shooting for the same thing! Trying to figure out what the most surgical restriction of bad If that policy also applies to
I made a mistake here, these scripts block the parser, but the |
@clelland, looking at https://github.com/w3c/webappsec-feature-policy/blob/master/policies/document-write.md, I wonder if some of that isn't more about
However, is the parser-blocking behavior not covered by |
Isn't one of the pros of This feels like that would defeat that, given engines would need to load it anyway as a call to I think it would be a way better idea to investigate solutions to the use cases of |
I don't know if that's the case here.
That's reasonable, but the new thing should be in place before the deprecation of the old thing. |
I can't imagine much by itself (although there seems to be interest in getting rid of it), however combined with other policies (e.g.
It's not clear to me if |
Basically what Given enough knowledge of unreachable code it's possible certain fast paths could be enabled, but I don't know that anyone has given this much thought. |
Ok ok, hear me out.
I'm assuming we're allowing developers to block
document.write
because injecting into the browser's streaming parser is a slow path, and can break things like look-ahead parsing.https://jakearchibald.com/2016/fun-hacks-faster-content/ - here I use
document.write
in anabout:blank
iframe to hook into the streaming parser, but I'm pretty sure it doesn't negatively impact the parent page.Maybe
document.write
should be allowed ifdocument.open()
is called either explicitly or implicitly during the life of the document. In spec terms, I think this meansdocument.write
should be allowed if the document open steps have run for this document.The text was updated successfully, but these errors were encountered: