- From: James Browning <notifications@github.com>
- Date: Sun, 17 Nov 2019 18:58:21 -0800
- To: w3c/webcomponents <webcomponents@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 18 November 2019 02:58:23 UTC
> doesn't failing open just leave people who forget these checks exposed? it only takes one slipup, and a malicious script could exfiltrate user data, exploit jit bugs, etc. I still think CSP is the way to go, it allows applying a policy across all vulnerable code sites without accidentally missing one. Also thinking about it more this would be useful beyond modules simply for enforcing unknown content isn't being inserted into unexpected usage sites with `fetch`/etc. Though to do this `Content-Security-Policy` would need to support some kind of glob/regexp esque matching e.g. (glob style): `Content-Security-Policy: content-type *.json application/json, *.js text/javascript, *.css text/css, *.config application/json, https://foo.bar/* application/json https://foo.bar/lib.js application/javascript` -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/webcomponents/issues/839#issuecomment-554830018
Received on Monday, 18 November 2019 02:58:23 UTC