CSP when external script loads another external script? from James Marshall on 2013-04-18 (public-webappsec@w3.org from April 2013)

From: James Marshall <james@jmarshall.com>
Date: Thu, 18 Apr 2013 11:10:18 -0700
To: public-webappsec@w3.org
Message-ID: <CAGEp=f1ci8Sk-Tb=Oa1JXiGpm7ctGraPHb7ZoAmLivYbmcWp4w@mail.gmail.com>

Something in the CSP draft is unclear to me-- if an HTML document has an
external script element that in turn loads another external script (via
Document.write(),  Node.appendChild(), etc.), is the loading of that second
script governed by the policy of the first script resource, or by the
policy of the original HTML document?

Apologies if I missed something.  All related explanations welcome, as I'm
new to CSP, and need to get it thoroughly right in my app (physical safety
is at stake).

Thanks,
James

Received on Friday, 19 April 2013 08:00:14 UTC