Re: HTML imports: new XSS hole?

On 04.06.2014 11:00, Anne van Kesteren wrote:
> On Tue, Jun 3, 2014 at 7:20 PM, Oda, Terri <> wrote:
>> Perhaps it would make sense to also require explicit allowing of imports via
>> CSP?  Scripts are allowed when no CSP is provided for historical
>> compatibility so you'd need to make sure that imports fell under a separate
>> directive, but there's no need for backwards compatibility so it probably
>> makes sense to choose a more conservative default behaviour for HTML
>> Imports.
> Using <script import> seems like a solution that would be better in
> that case, as it does not provide opt-in through HTTP. Whenever we
> require HTTP for a feature, we get a ton of complaints. And <script
> import> is not that bad authoring-wise either:
> <script import></script>
> <link rel="import" href>
> (Okay, you win two code points if you omit the quotes with <link>.)

Were you saying <script import=url></script> or <script src=url

I, by the way, wholeheartedly agree that <link> tags become more
dangerous through HTML imports and that they are somehow breaking the
dogma of "security by no surprises" :)

Received on Tuesday, 10 June 2014 08:36:55 UTC