- From: cardner <notifications@github.com>
- Date: Sat, 18 Feb 2017 14:38:58 -0800
- To: w3c/webcomponents <webcomponents@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/webcomponents/issues/627/280880591@github.com>
@rniwa I'm not sure I follow your suggestion entirely, could you elaborate a bit? Also it's not necessarily just shadow DOM but more so when using shadow DOM along with the other APIs that are part of web components. For example imagine if you wanted to use web components to build a robust library of UI elements that are client side and there for can be used and consumed by various technologies like python, javascript, or PHP. So you create custom elements with templates and imports to bring them to the glass. But while doing this you have to use them in an environment that applies a strict CSP that doesn't allow any inline style tags because it's really allow them all or none. So even if we used a style link in the custom element it would create an inline style tag that gets brought into the body element of the page which would violate the CSP even if located in the shadow DOM. So my question is in a scenario like this is there a way to communicate to the CSP that the style tags in the shadow DOM are actually safe (if that may be the case)? I've done experiments where I would hash and checksum the style tags which would have to be run as part of the tool chain before pushing code to the server. Would putting something similar to Subresource Integrity be a possible solution if the style tags were presumably rather static/non-changing? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/webcomponents/issues/627#issuecomment-280880591
Received on Saturday, 18 February 2017 22:39:33 UTC