- From: Jonathan Kingston <jonathan@jooped.com>
- Date: Fri, 27 Mar 2015 23:52:43 +0000
- To: Nathan Sobo <nathan@github.com>
- Cc: public-webappsec@w3.org
- Message-ID: <CAKrjaaUa1zz89h4JtbQoowQ+gG6qtBuhcrJLO_1v2nc-0ddVuw@mail.gmail.com>
This somewhat continues from my previous post about external CSP files: https://lists.w3.org/Archives/Public/public-webappsec/2015Mar/0148.html I think this approach could be used within the imports too via a link element or perhaps an attribute on the import. Perhaps imports that have an SRI 'integrity' attribute specified could be treated as a safer context when coupled with using a CSP nonce. On 27 March 2015 at 22:23, Nathan Sobo <nathan@github.com> wrote: > Nathan Sobo from the Atom core team here. > > For us, the most intuitive solution would be to allow a nonce attribute to > be specified on an import, similar to how a nonce can be applied to an > inline script. When applied to an import, the nonce would apply > transitively to all script tags in all imported documents. It would only > apply for inline scripts present at the time of import. Script tags added > to imported documents *after* the fact would not have a nonce automatically > applied. > > We use a CSP in Atom to prevent package authors from accidentally > inserting script tags into the document, for example, when previewing a > markdown document. However, if they're explicitly asking to do an HTML > import, then their intent is clear, and we'd like them to be able to run > imported scripts if they have access to the current CSP nonce. > > Can anyone articulate to me anything I might be missing here? Would this > be a workable solution from a security perspective? >
Received on Monday, 30 March 2015 08:26:19 UTC