Re: [HTML imports]: Imports and Content Security Policy from Hajime Morrita on 2014-02-03 (public-webapps@w3.org from January to March 2014)

From: Hajime Morrita <morrita@google.com>
Date: Mon, 3 Feb 2014 12:58:25 -0800
To: Frederik Braun <fbraun@mozilla.com>
Cc: Gabor Krizsanits <gkrizsanits@mozilla.com>, Nick Krempel <ndkrempel@google.com>, Scott Miles <sjmiles@google.com>, public-webapps <public-webapps@w3.org>
Message-ID: <CALzNm5pUNiOgq6jfXi=NXb863+j-NEhpPMOXFNQC+C_2W+tkwQ@mail.gmail.com>

On Mon, Feb 3, 2014 at 2:23 AM, Frederik Braun <fbraun@mozilla.com> wrote:

> On 31.01.2014 06:43, Hajime Morrita wrote:
> > Generally I prefer master-CSP model than the "own CSP" model due to its
> > simplicity but I agree that unsafe-script kills the conciseness of
> Imports.
> >
> > To make inline scripts work with imports, we might want another CSP
> > directive like "safe-script", which allows parser-made <script> but
> > doesn't allow dynamic ones. There is some room to talk what should be
> > allowed as "safe-script" though. My gut feeling is A) <script>: Allowed,
> > but B) inline event handlers: Not allowed.
>
> What is a "safe" script? What do you mean by parser-made script tags?
> We must be careful not to allow bypassing CSP with a simple XSS.
>

Forget about "safe". I tried to give some name to the notion.

Parser-made script means the <script> tags and its contents that are
written in HTML bytestream, not given by DOM mutation calls from scripts.
 As HTML Imports doesn't allow document.write(), it seems safe to assume
that these scripts are statically given by the author, not an attacker.

I agree that we should be careful here though. We need to take care of
innerHTML somehow for example.

> >
> > Does this make sense?
>
>

-- 
morrita

Received on Monday, 3 February 2014 20:58:56 UTC