Re: [HTML imports]: Imports and Content Security Policy

The security objection to the original "own CSP" design was never fully
developed - I'm not sure it's necessarily a show-stopper.

Nick



On 30 January 2014 18:53, Scott Miles <sjmiles@google.com> wrote:

> I'm hoping there are some constraints we can impose on imports to allow
> them to contain inline scripts to exist under CSP.
>
> Failing that, we already have a tool ('vulcanizer') which can separate
> scripts out of imports (and to the reverse as well).
>
> Whether an import uses inline or external scripts is invisible to the
> importer.
>
>
> On Wed, Jan 29, 2014 at 5:47 PM, Gabor Krizsanits <gkrizsanits@mozilla.com
> > wrote:
>
>> One more thing that little bit worries me, that the most common request
>> when it comes to CSP is banning inline scripts. If all the imports obey the
>> CSP of the master, which I think the only way to go, that also probably
>> means that in most cases we can only use imports those do not have any
>> inline scripting either... I think this should be mentioned in the spec.
>> Since if you develop some huge library let's say, based on imports, and
>> then no costumer can use it who also want to have CSP, because it's full of
>> inline scripts, that would be quite annoying.
>>
>>
>>
>

Received on Thursday, 30 January 2014 18:58:37 UTC