Re: [HTML imports]: Imports and Content Security Policy

I'm hoping there are some constraints we can impose on imports to allow
them to contain inline scripts to exist under CSP.

Failing that, we already have a tool ('vulcanizer') which can separate
scripts out of imports (and to the reverse as well).

Whether an import uses inline or external scripts is invisible to the
importer.


On Wed, Jan 29, 2014 at 5:47 PM, Gabor Krizsanits
<gkrizsanits@mozilla.com>wrote:

> One more thing that little bit worries me, that the most common request
> when it comes to CSP is banning inline scripts. If all the imports obey the
> CSP of the master, which I think the only way to go, that also probably
> means that in most cases we can only use imports those do not have any
> inline scripting either... I think this should be mentioned in the spec.
> Since if you develop some huge library let's say, based on imports, and
> then no costumer can use it who also want to have CSP, because it's full of
> inline scripts, that would be quite annoying.
>
>
>

Received on Thursday, 30 January 2014 18:53:37 UTC