- From: Frederik Braun <fbraun@mozilla.com>
- Date: Tue, 10 Jun 2014 10:36:27 +0200
- To: public-webapps@w3.org
On 04.06.2014 11:00, Anne van Kesteren wrote: > On Tue, Jun 3, 2014 at 7:20 PM, Oda, Terri <terri.oda@intel.com> wrote: >> Perhaps it would make sense to also require explicit allowing of imports via >> CSP? Scripts are allowed when no CSP is provided for historical >> compatibility so you'd need to make sure that imports fell under a separate >> directive, but there's no need for backwards compatibility so it probably >> makes sense to choose a more conservative default behaviour for HTML >> Imports. > > Using <script import> seems like a solution that would be better in > that case, as it does not provide opt-in through HTTP. Whenever we > require HTTP for a feature, we get a ton of complaints. And <script > import> is not that bad authoring-wise either: > > <script import></script> > <link rel="import" href> > > (Okay, you win two code points if you omit the quotes with <link>.) > > Were you saying <script import=url></script> or <script src=url import></script>? I, by the way, wholeheartedly agree that <link> tags become more dangerous through HTML imports and that they are somehow breaking the dogma of "security by no surprises" :)
Received on Tuesday, 10 June 2014 08:36:55 UTC