Re: HTML imports: new XSS hole? from Oda, Terri on 2014-06-03 (public-webapps@w3.org from April to June 2014)

From: Oda, Terri <terri.oda@intel.com>
Date: Tue, 3 Jun 2014 10:20:03 -0700
To: public-webapps@w3.org
Message-ID: <CACoC0R-qf6AHzapZxr8ZDq02HkRBq7geo=-H3mEO13ZGxLv9SA@mail.gmail.com>

On Tue, Jun 3, 2014 at 9:59 AM, Boris Zbarsky <bzbarsky@mit.edu> wrote:

> On 6/3/14, 12:48 PM, Hajime Morrita wrote:
>
>> HTML Imports are a bit more strict. They see CORS header and decline if
>> there is none for cross origin imports.
>> Also, requests for imports don't send any credentials to other origins.
>
> These two measures prevent attacks on other origins via imports.
> It does nothing about attacks by the imported script on the page the
> import is happening into.

Perhaps it would make sense to also require explicit allowing of imports
via CSP?  Scripts are allowed when no CSP is provided for historical
compatibility so you'd need to make sure that imports fell under a separate
directive, but there's no need for backwards compatibility so it probably
makes sense to choose a more conservative default behaviour for HTML
Imports.

Received on Tuesday, 3 June 2014 17:20:33 UTC