Re: HTML imports: new XSS hole? from James M Snell on 2014-06-02 (public-webapps@w3.org from April to June 2014)

From: James M Snell <jasnell@gmail.com>
Date: Mon, 2 Jun 2014 06:02:51 -0700
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebApps WG <public-webapps@w3.org>, Jonas Sicking <jonas@sicking.cc>
Message-ID: <CABP7RbfCisXtZm5Fy0c8g-XTgtdno8EEHN_dOogaxFF5JvpysA@mail.gmail.com>

Yup, like I said, it shouldn't be any worse. From what I've seen with
chrome, at the very least, import links are handled with the same CSP as
script tags. Which is certainly a good thing. I suppose that If you needed
the ability to sandbox them further, just wrap them inside a sandboxed
iframe. It's a bit ugly but it works.
On Jun 2, 2014 5:56 AM, "Anne van Kesteren" <annevk@annevk.nl> wrote:

> On Mon, Jun 2, 2014 at 2:54 PM, James M Snell <jasnell@gmail.com> wrote:
> > So long as they're handled with the same policy and restrictions as the
> > script tag, it shouldn't be any worse.
>
> Well, <script> is assumed to be unsafe, <link> is not (at least not to
> the same extent).
>
>
> --
> http://annevankesteren.nl/
>

Received on Monday, 2 June 2014 13:03:20 UTC