26898 2014-09-24 20:07:27 +0000 [imports]: <link rel=import> shouldn't be active when added by innerHTML 2015-07-06 08:16:16 +0000 1 1 1 Unclassified WebAppsWG HISTORICAL - Component Model unspecified PC Linux RESOLVED MOVED P2 normal --- 20683 1 morrita dglazkov fbraun jonas mike public-webapps public-webapps-bugzilla oldest_to_newest 112116 0 morrita 2014-09-24 20:07:27 +0000 Reported at https://code.google.com/p/chromium/issues/detail?id=416036 As <script>, it should be disabled when injected by innerHTML. cf. http://www.w3.org/TR/2008/WD-html5-20080610/dom.html#innerhtml0 112125 1 jonas 2014-09-24 20:51:51 +0000 Why? The <script> thing was mostly done in order to get compatibility with existing content. Specifically there was a lot of content out there that did things like: <div id=elem> <script>...</script> lots of content here <div> document.getElementById('elem').innerHTML += "hello world"; This code did not expect the script elements to execute again because back in those days dynamically inserted <script> elements almost never executed. I don't think any of those reasons apply here. First of all "reimporting" the same URL is a no-op since we de-duplicate imports, right? Second, there's no existing content that we need to be compatible with since imports are a new feature. The reason I'd rather not make exceptions for innerHTML is that it creates arbitrary and hard-to-learn inconsistencies. Why innerHTML but not outerHTML or insertAdjecentHTML? What about the jQuery provided $("markup here") and parseHTML? 112145 2 morrita 2014-09-24 22:24:07 +0000 Good question. Your points are valid. I heard that the <script> blacklisting is a safeguard for reducing XSS. Is it misunderstanding the intention of the spec? 112151 3 jonas 2014-09-24 22:35:34 +0000 The current limitation was mainly added in order to be compatible with the web. It was originally not added for any security reasons. I don't think that blocking <script> in innerHTML is a meaningful XSS-prevention mechanism. But others might disagree. 121743 4 hayato 2015-07-06 08:16:16 +0000 Moved to https://github.com/w3c/webcomponents/issues/193