W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2014

Re: [HTML imports]: Imports and Content Security Policy

From: Frederik Braun <fbraun@mozilla.com>
Date: Fri, 10 Jan 2014 09:30:44 +0100
Message-ID: <52CFAFB4.4000406@mozilla.com>
To: public-webapps@w3.org, Gabor Krizsanits <gkrizsanits@mozilla.com>
On 10.01.2014 03:52, Hajime Morrita wrote:
> Hi Frederik,
> Thanks for bringing it up!
> 
> As you pointed out, CSP of imported documents essentially extends the
> set of allowed domains. I thought I was useful for component authors to
> specify their own domains, like one of their own CDN.

Well the loss of convenience is indeed unfortunate.
> 
> I'm not sure how it is threatening because components won't have any
> sensitive state in it
> because HTML Imports doesn't have any isolation mechanism after all. It
> however might be an optimistic view.
> 

I'm not concerned about state, but it shouldn't be allowed to bypass a
CSP (which is stated in a header, after all) by a simple content
injection that triggers an HTML Import (XSS is very prevalent and the
main reason we're pushing for CSP is to prevent XSS :))

> Being conservative, it could be better to apply master document's CSP to
> whole import tree
> and ignore CSPs on imports. It is less flexible and page authors need to
> list all domains for
> possibly imported resources, but this flat model looks what Web is
> relying today.
> 
Yes, just to re-emphasize: I think this is the way to go.

> I'd appreciate any feedback and/or suggestions here. It seems there is
> some progress on CSP side.
> It would be great if there is some new mechanism to handle CSP of
> subresources.
> Things like ES6 modules might get benefit from it as well.
Received on Friday, 10 January 2014 08:31:16 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:21 UTC