- From: Ryosuke Niwa <notifications@github.com>
- Date: Mon, 18 Nov 2019 16:43:42 -0800
- To: w3c/webcomponents <webcomponents@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 19 November 2019 00:43:47 UTC
> e.g. Take this policy for example: > > `Content-Security-Policy: content-type https://foo.bar/*.json text/json` > > There's no way for `foo.bar` to upgrade anything of the form `*.json` to a script. The only way to allow it would be to change the policy to `text/javascript`, this seems as adequately secure as the `with json` approach. This approach is problematic because it adds more distance between where the type is declared & where it is used. In addition, this proposal would make CSP directives affect how the served content is parsed (or not parsed), meaning that depending on CSP directives you may have on a website, the content may start executing where you were not expecting to execute. That's a really bad fit for a CSP directive, and in this regard, it's an actually worse proposal than not having any type annotation at all. CSP directives should be only used to *enforce a security policy*, not as a mechanism to change the way web browsers process content. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/webcomponents/issues/839#issuecomment-555277916
Received on Tuesday, 19 November 2019 00:43:47 UTC