Re: HTML Imports and CSP from Dimitri Glazkov on 2015-04-07 (public-webappsec@w3.org from April 2015)

From: Dimitri Glazkov <dglazkov@google.com>
Date: Tue, 7 Apr 2015 08:43:34 -0700
To: Mike West <mkwst@google.com>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, Brad Hill <hillbrad@gmail.com>, Joel Weinberger <jww@google.com>, Justin Schuh <jschuh@google.com>, Nathan Sobo <nathan@github.com>, Justin Fagnani <justinfagnani@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CADh5Ky2uKY8c8RhVnwexvG0NQUKePcBQ_1CJBNr2aLq6QF-K3w@mail.gmail.com>

On Tue, Apr 7, 2015 at 5:58 AM, Mike West <mkwst@google.com> wrote:

> CCing folks who were inadvertently dropped from explicit CC, to widen the
> net.
>
> -mike
>
> --
> Mike West <mkwst@google.com>, @mikewest
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München,
> Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
> Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
> On Tue, Apr 7, 2015 at 1:39 PM, Mike West <mkwst@google.com> wrote:
>
>> After thinking about this a bit more over the holidays, I think I'm more
>> in agreement with you than I thought, Dev. :)
>>
>> What do you think about this:
>>
>> 1. Move imports to `import-src` (we'll need to measure usage in Chrome,
>> but assuming this is mostly an extension thing at this point, it should be
>> doable).
>>
>> 2. Give imports their own policy (that is, no longer inherit from the
>> containing document) like Workers and frames, which would enable them to
>> either whitelist `unsafe-inline` themselves, or use nonces/hashes whatever.
>>
>
This seems encouraging. What is the bottom line for developers using CSP?
What is the least that they need to do in order to make HTML Imports usable?

:DG<

Received on Tuesday, 7 April 2015 15:44:01 UTC