Re: [w3c/webcomponents] Shadow dom innerhtml and CSP unsafe-inline (#627) from Ryosuke Niwa on 2017-02-18 (public-webapps-github@w3.org from February 2017)

From: Ryosuke Niwa <notifications@github.com>
Date: Sat, 18 Feb 2017 15:00:02 -0800
To: w3c/webcomponents <webcomponents@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/webcomponents/issues/627/280881695@github.com>

No, there is no mechanism like that.

The problem is that the security risk of using an inline styling doesn't change regardless of whether it's inside a shadow tree or not. Also, there is no way for browser to check whether a given shadow tree is created by a third party content (e.g. scripts from another source or a library) or the first party content.

The correct fix for those component authors to be using link element inside shadow trees instead of forcing users of the components to relax their CSP requirements.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webcomponents/issues/627#issuecomment-280881695

Received on Saturday, 18 February 2017 23:00:37 UTC