Re: [HTML imports]: Imports and Content Security Policy

On Fri, Jan 10, 2014 at 5:30 PM, Frederik Braun <fbraun@mozilla.com> wrote:

> On 10.01.2014 03:52, Hajime Morrita wrote:
> > Hi Frederik,
> > Thanks for bringing it up!
> >
> > As you pointed out, CSP of imported documents essentially extends the
> > set of allowed domains. I thought I was useful for component authors to
> > specify their own domains, like one of their own CDN.
>
> Well the loss of convenience is indeed unfortunate.
> >
> > I'm not sure how it is threatening because components won't have any
> > sensitive state in it
> > because HTML Imports doesn't have any isolation mechanism after all. It
> > however might be an optimistic view.
> >
>
> I'm not concerned about state, but it shouldn't be allowed to bypass a
> CSP (which is stated in a header, after all) by a simple content
> injection that triggers an HTML Import (XSS is very prevalent and the
> main reason we're pushing for CSP is to prevent XSS :))
>
> > Being conservative, it could be better to apply master document's CSP to
> > whole import tree
> > and ignore CSPs on imports. It is less flexible and page authors need to
> > list all domains for
> > possibly imported resources, but this flat model looks what Web is
> > relying today.
> >
> Yes, just to re-emphasize: I think this is the way to go.
>

Filed: https://www.w3.org/Bugs/Public/show_bug.cgi?id=24268

Although we might come up with better idea,
I agree that we should start from safer option.


> > I'd appreciate any feedback and/or suggestions here. It seems there is
> > some progress on CSP side.
> > It would be great if there is some new mechanism to handle CSP of
> > subresources.
> > Things like ES6 modules might get benefit from it as well.
>
>
>


-- 
morrita