[Bug 25566] New: [imports]: Supporting more than just the script-src CSP directive in imports. from bugzilla@jessica.w3.org on 2014-05-06 (public-webapps-bugzilla@w3.org from May 2014)

From: <bugzilla@jessica.w3.org>
Date: Tue, 06 May 2014 03:00:54 +0000
To: public-webapps-bugzilla@w3.org
Message-ID: <bug-25566-2532@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=25566

            Bug ID: 25566
           Summary: [imports]: Supporting more than just the script-src
                    CSP directive in imports.
           Product: WebAppsWG
           Version: unspecified
          Hardware: PC
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: DOM
          Assignee: morrita@google.com
          Reporter: pdr@google.com
        QA Contact: public-webapps-bugzilla@w3.org
                CC: mike@w3.org, www-dom@w3.org
            Blocks: 20683

The Content Security Policy section of HTML Imports currently specifies:
"Content Security Policy must restrict import loading through the script-src
directive."

There seems to be a slight mismatch between the CSP directives and what HTML
Imports supports. For example, I can imagine html imports being used for just
html+css, or just svg without script.

I don't have a great suggestion for how to support this other than additional
import types such as "import-src". Doing this would require spec'ing how the
transitive CSP dependencies of imports works.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Tuesday, 6 May 2014 03:00:56 UTC