W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2014

Re: HTML imports: new XSS hole?

From: Frederik Braun <fbraun@mozilla.com>
Date: Tue, 10 Jun 2014 10:36:27 +0200
Message-ID: <5396C38B.3000900@mozilla.com>
To: public-webapps@w3.org
On 04.06.2014 11:00, Anne van Kesteren wrote:
> On Tue, Jun 3, 2014 at 7:20 PM, Oda, Terri <terri.oda@intel.com> wrote:
>> Perhaps it would make sense to also require explicit allowing of imports via
>> CSP?  Scripts are allowed when no CSP is provided for historical
>> compatibility so you'd need to make sure that imports fell under a separate
>> directive, but there's no need for backwards compatibility so it probably
>> makes sense to choose a more conservative default behaviour for HTML
>> Imports.
> 
> Using <script import> seems like a solution that would be better in
> that case, as it does not provide opt-in through HTTP. Whenever we
> require HTTP for a feature, we get a ton of complaints. And <script
> import> is not that bad authoring-wise either:
> 
> <script import></script>
> <link rel="import" href>
> 
> (Okay, you win two code points if you omit the quotes with <link>.)
> 
> 

Were you saying <script import=url></script> or <script src=url
import></script>?

I, by the way, wholeheartedly agree that <link> tags become more
dangerous through HTML imports and that they are somehow breaking the
dogma of "security by no surprises" :)
Received on Tuesday, 10 June 2014 08:36:55 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:25 UTC