W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2014

Re: [HTML imports]: Imports and Content Security Policy

From: Nick Krempel <ndkrempel@google.com>
Date: Fri, 10 Jan 2014 14:10:47 +0000
Message-ID: <CAGu+aDfU7cg04po9MJm3kE3Hp09nPD-O3XioBdafkcF_ddFw0w@mail.gmail.com>
To: Frederik Braun <fbraun@mozilla.com>
Cc: Hajime Morrita <morrita@google.com>, public-webapps <public-webapps@w3.org>, Gabor Krizsanits <gkrizsanits@mozilla.com>
On 10 January 2014 14:08, Frederik Braun <fbraun@mozilla.com> wrote:

> Yes, imagine an XSS vulnerability on example.com. Using this to include
> imported.com shouldn't mean that the CSP in place (which allows
> imported.com) is suddenly allowing everything that is also mentioned in
> the policy of imported.com.
>
Sorry I don't follow. In your example, you said the CSP of imported.com was
'self' only.
Received on Friday, 10 January 2014 14:11:22 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:21 UTC