Simon Pieters

We've seen very few (but not zero) issues due to this. I think we should consider future websites also. If browsers all throw, it's more likely to be caught and...

I like this! There's another axis, which is whether `script` elements run when inserted. See https://github.com/whatwg/html/issues/10090 and demo https://software.hixie.ch/utilities/js/live-dom-viewer/saved/14067 Maybe the `UnsafeHTMLSetterOptions` can have `boolean runScripts = false;` -- or...

Closing and reopening to see if the PR preview makes a new version.

Would this make available the same content that is already available via `fetch()`? Is it possible to use CSP (`connect-src `?) to restrict these imports?

Thanks for filing this. As I understand it, the use case is to be able to execute scripts from WebDriver BiDi (after disabling scripting), including following async operations. The fact...

> From a user perspective, I think it's fine. If a WebDriver BiDi evaluated script happens to trigger a script / function created by the page earlier, it's ok. OK,...

Thanks @sadym-chromium, @juliandescottes. I think it's now clear that it's intentional to run some scripts and why.

There is also https://w3c.github.io/DOM-Parsing/#idl-def-range-createcontextualfragment(domstring) which *does* execute scripts (when inserted into a document). As a possible alternative to `document.write` in the meantime...

No, as an alternative to `document.write` in your hack. Don't even need an iframe, just a `Range` instance. http://software.hixie.ch/utilities/js/live-dom-viewer/saved/4716

> ah, that doesn't allow partial trees Indeed.