Re: [HTML imports]: Imports and Content Security Policy from Nick Krempel on 2014-01-10 (public-webapps@w3.org from January to March 2014)

From: Nick Krempel <ndkrempel@google.com>
Date: Fri, 10 Jan 2014 14:10:47 +0000
To: Frederik Braun <fbraun@mozilla.com>
Cc: Hajime Morrita <morrita@google.com>, public-webapps <public-webapps@w3.org>, Gabor Krizsanits <gkrizsanits@mozilla.com>
Message-ID: <CAGu+aDfU7cg04po9MJm3kE3Hp09nPD-O3XioBdafkcF_ddFw0w@mail.gmail.com>

On 10 January 2014 14:08, Frederik Braun <fbraun@mozilla.com> wrote:

> Yes, imagine an XSS vulnerability on example.com. Using this to include
> imported.com shouldn't mean that the CSP in place (which allows
> imported.com) is suddenly allowing everything that is also mentioned in
> the policy of imported.com.
>
Sorry I don't follow. In your example, you said the CSP of imported.com was
'self' only.

Received on Friday, 10 January 2014 14:11:22 UTC