Mike West

It feels a bit hacky to have unexplained checks like this in Fetch, but I'm not sure there's a better spot. WDYT? /cc Random sampling of folks who come to...

https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/rOs6YRyBEpw/D3pzVwGJAgAJ spells out the justification a little more clearly. If folks don't fundamentally object, this is something I plan to try out in Chrome: relevant metrics show ~0.0006% of page...

(Blink-only tests at https://cs.chromium.org/chromium/src/third_party/WebKit/LayoutTests/http/tests/security/dangling-markup/src-attribute.html. I'll upstream those to WPT if folks aren't opposed to the notion.)

Merged in the last few ~2 months of changes, and updated on top of a new flag in URL.

Fixed the extra `and`, and move to the one-flag proposal in the latest version of the URL patch.

With the overarching caveat that you ought to ensure that you're properly escaping variables before dumping them into HTML: * Assuming that `_relogios` is just plain text, then `` won't...

I think CORS can/should imply TAO for resource-level information around timing and size, but my comment in that previous thread still feels relevant: > I think we also questioned whether...

Chrome's numbers look a bit different: **Cross-origin scripts** MIME | % of page views -------------|---------------------------- text/html | [~10%](https://www.chromestatus.com/metrics/feature/timeline/popularity/2174) text/plain | [~4%](https://www.chromestatus.com/metrics/feature/timeline/popularity/2175) application/octet-stream | [~1%](https://www.chromestatus.com/metrics/feature/timeline/popularity/2172) application/xml | [~1%](https://www.chromestatus.com/metrics/feature/timeline/popularity/2173) Other | [~25%](https://www.chromestatus.com/metrics/feature/timeline/popularity/1071)...

> That number is incredibly high. Sadly you don't seem to count `application/json`? Would this also include no Content-Type? Yes. "Other" is everything else, including `application/json` and the empty string....

Old fetch patch at https://github.com/whatwg/fetch/pull/519, old URL patch at https://github.com/whatwg/url/pull/284. Tests at https://cs.chromium.org/chromium/src/third_party/WebKit/LayoutTests/http/tests/security/dangling-markup/src-attribute.html, which I'll happily upstream if other folks are interested.