W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

CSP when external script loads another external script?

From: James Marshall <james@jmarshall.com>
Date: Thu, 18 Apr 2013 11:10:18 -0700
Message-ID: <CAGEp=f1ci8Sk-Tb=Oa1JXiGpm7ctGraPHb7ZoAmLivYbmcWp4w@mail.gmail.com>
To: public-webappsec@w3.org
Something in the CSP draft is unclear to me-- if an HTML document has an
external script element that in turn loads another external script (via
Document.write(),  Node.appendChild(), etc.), is the loading of that second
script governed by the policy of the first script resource, or by the
policy of the original HTML document?

Apologies if I missed something.  All related explanations welcome, as I'm
new to CSP, and need to get it thoroughly right in my app (physical safety
is at stake).

Received on Friday, 19 April 2013 08:00:14 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:32 UTC