[Bug 22752] New: [imports]: Imports should respect CSP from bugzilla@jessica.w3.org on 2013-07-22 (public-webapps-bugzilla@w3.org from July 2013)

From: <bugzilla@jessica.w3.org>
Date: Mon, 22 Jul 2013 10:52:57 +0000
To: public-webapps-bugzilla@w3.org
Message-ID: <bug-22752-2532@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=22752

            Bug ID: 22752
           Summary: [imports]: Imports should respect CSP
    Classification: Unclassified
           Product: WebAppsWG
           Version: unspecified
          Hardware: PC
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Component Model
          Assignee: dglazkov@chromium.org
          Reporter: morrita@google.com
        QA Contact: public-webapps-bugzilla@w3.org
            Blocks: 20683

Import should beware Content Security Policy [1]

There are at least two questions to adopt CSP for HTML Improts:

- Q1: Which directive should it follow or should it have its own directive?
- Q2: Which document should sub-imports restricted?
      The master, or the parent?

For Q1:
It should be script-src. It runs script and it isn't rendered.
Having its own directive could be an option. but I don't come up with
a valid scenario where the author wants such one.

For Q2:
It should follow master's policy, not parent's
This is because the script runs on the master's scripting context.


[1] http://www.w3.org/TR/CSP/

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Monday, 22 July 2013 10:52:58 UTC