- From: Frederik Braun <fbraun@mozilla.com>
- Date: Fri, 10 Jan 2014 09:30:44 +0100
- To: public-webapps@w3.org, Gabor Krizsanits <gkrizsanits@mozilla.com>
On 10.01.2014 03:52, Hajime Morrita wrote: > Hi Frederik, > Thanks for bringing it up! > > As you pointed out, CSP of imported documents essentially extends the > set of allowed domains. I thought I was useful for component authors to > specify their own domains, like one of their own CDN. Well the loss of convenience is indeed unfortunate. > > I'm not sure how it is threatening because components won't have any > sensitive state in it > because HTML Imports doesn't have any isolation mechanism after all. It > however might be an optimistic view. > I'm not concerned about state, but it shouldn't be allowed to bypass a CSP (which is stated in a header, after all) by a simple content injection that triggers an HTML Import (XSS is very prevalent and the main reason we're pushing for CSP is to prevent XSS :)) > Being conservative, it could be better to apply master document's CSP to > whole import tree > and ignore CSPs on imports. It is less flexible and page authors need to > list all domains for > possibly imported resources, but this flat model looks what Web is > relying today. > Yes, just to re-emphasize: I think this is the way to go. > I'd appreciate any feedback and/or suggestions here. It seems there is > some progress on CSP side. > It would be great if there is some new mechanism to handle CSP of > subresources. > Things like ES6 modules might get benefit from it as well.
Received on Friday, 10 January 2014 08:31:16 UTC