- From: Frederik Braun <fbraun@mozilla.com>
- Date: Mon, 03 Feb 2014 11:23:20 +0100
- To: Hajime Morrita <morrita@google.com>, Gabor Krizsanits <gkrizsanits@mozilla.com>
- CC: Nick Krempel <ndkrempel@google.com>, Scott Miles <sjmiles@google.com>, public-webapps <public-webapps@w3.org>
On 31.01.2014 06:43, Hajime Morrita wrote: > Generally I prefer master-CSP model than the "own CSP" model due to its > simplicity but I agree that unsafe-script kills the conciseness of Imports. > > To make inline scripts work with imports, we might want another CSP > directive like "safe-script", which allows parser-made <script> but > doesn't allow dynamic ones. There is some room to talk what should be > allowed as "safe-script" though. My gut feeling is A) <script>: Allowed, > but B) inline event handlers: Not allowed. What is a "safe" script? What do you mean by parser-made script tags? We must be careful not to allow bypassing CSP with a simple XSS. > > Does this make sense?
Received on Monday, 3 February 2014 10:23:55 UTC