Re: [HTML imports]: Imports and Content Security Policy

On 10.01.2014 03:52, Hajime Morrita wrote:
> Hi Frederik,
> Thanks for bringing it up!
> 
> As you pointed out, CSP of imported documents essentially extends the
> set of allowed domains. I thought I was useful for component authors to
> specify their own domains, like one of their own CDN.

Well the loss of convenience is indeed unfortunate.
> 
> I'm not sure how it is threatening because components won't have any
> sensitive state in it
> because HTML Imports doesn't have any isolation mechanism after all. It
> however might be an optimistic view.
> 

I'm not concerned about state, but it shouldn't be allowed to bypass a
CSP (which is stated in a header, after all) by a simple content
injection that triggers an HTML Import (XSS is very prevalent and the
main reason we're pushing for CSP is to prevent XSS :))

> Being conservative, it could be better to apply master document's CSP to
> whole import tree
> and ignore CSPs on imports. It is less flexible and page authors need to
> list all domains for
> possibly imported resources, but this flat model looks what Web is
> relying today.
> 
Yes, just to re-emphasize: I think this is the way to go.

> I'd appreciate any feedback and/or suggestions here. It seems there is
> some progress on CSP side.
> It would be great if there is some new mechanism to handle CSP of
> subresources.
> Things like ES6 modules might get benefit from it as well.

Received on Friday, 10 January 2014 08:31:16 UTC